1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 package org.apache.shiro.web.servlet; 20 21 import javax.servlet.http.HttpServletRequest; 22 import javax.servlet.http.HttpServletResponse; 23 24 /** 25 * Interface representing HTTP cookie operations, supporting pojo-style getters and setters for all 26 * attributes which includes <a href="http://www.owasp.org/index.php/HttpOnly">HttpOnly</a> support. 27 * This allows Shiro to set <a href="http://www.owasp.org/index.php/HttpOnly">HttpOnly</a> cookies even on 28 * Servlet containers based on the {@code 2.4} and {@code 2.5} API (Servlet API 'native' support was only introduced in 29 * the {@code 2.6} specification). 30 * 31 * @since 1.0 32 */ 33 public interface Cookie { 34 /** 35 * The value of deleted cookie (with the maxAge 0). 36 */ 37 public static final String DELETED_COOKIE_VALUE = "deleteMe"; 38 39 40 /** 41 * The number of seconds in one year (= 60 * 60 * 24 * 365). 42 */ 43 public static final int ONE_YEAR = 60 * 60 * 24 * 365; 44 45 /** 46 * Root path to use when the path hasn't been set and request context root is empty or null. 47 */ 48 public static final String ROOT_PATH = "/"; 49 50 /** 51 * The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context. 52 */ 53 public enum SameSiteOptions { 54 /** 55 * Cookies will be sent in all contexts, i.e sending cross-origin is allowed. 56 * 57 * <p>None used to be the default value, but recent browser versions made Lax the default value 58 * to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.</p> 59 * 60 * <p>None requires the Secure attribute in latest browser versions. See below for more information.</p> 61 */ 62 NONE, 63 /** 64 * Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests 65 * initiated by third party website. This is the default value in modern browsers as of 2020. 66 */ 67 LAX, 68 /** 69 * Cookies will only be sent in a first-party context 70 * and not be sent along with requests initiated by third party websites. 71 */ 72 STRICT, 73 } 74 75 String getName(); 76 77 void setName(String name); 78 79 String getValue(); 80 81 void setValue(String value); 82 83 String getComment(); 84 85 void setComment(String comment); 86 87 String getDomain(); 88 89 void setDomain(String domain); 90 91 int getMaxAge(); 92 93 void setMaxAge(int maxAge); 94 95 String getPath(); 96 97 void setPath(String path); 98 99 boolean isSecure(); 100 101 void setSecure(boolean secure); 102 103 int getVersion(); 104 105 void setVersion(int version); 106 107 void setHttpOnly(boolean httpOnly); 108 109 boolean isHttpOnly(); 110 111 void setSameSite(SameSiteOptions sameSite); 112 113 SameSiteOptions getSameSite(); 114 115 void saveTo(HttpServletRequest request, HttpServletResponse response); 116 117 void removeFrom(HttpServletRequest request, HttpServletResponse response); 118 119 String readValue(HttpServletRequest request, HttpServletResponse response); 120 }