deprecate HttpSessionSecurityCookieFilter

This fixes ArcBees#484

HttpSessionSecurityCookieFilter duplicates the JSESSIONID in another cookie, one that can't be marked 'Htt
pOnly'. That means in an XSS attack the attacker could read the JSESSIONID and hijack the session.

Instead we should use RandomSecurityCookieFilter which doesn't have this issue (since it doesn't duplicate the JSESSIONID).

Author: bradcupit

gwtp-core/gwtp-dispatch-rpc-server-guice/src/main/java/com/gwtplatform/dispatch/rpc/server/guice/HttpSessionSecurityCookieFilter.java

@@ -35,7 +35,11 @@
  * </pre>
  * <p/>
  * You also have to use a {@code .jsp} file instead of a {@code .html} as your main GWT file.
+ *
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.guice.RandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
  */
+@Deprecated
 @Singleton
 public class HttpSessionSecurityCookieFilter extends AbstractHttpSessionSecurityCookieFilter {
 

gwtp-core/gwtp-dispatch-rpc-server-guice/src/main/java/com/gwtplatform/dispatch/server/guice/HttpSessionSecurityCookieFilter.java

@@ -37,7 +37,8 @@
  * <p/>
  * You also have to use a {@code .jsp} file instead of a {@code .html} as your main GWT file.
  *
- * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.guice.HttpSessionSecurityCookieFilter}.
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.guice.RandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
  */
 @Deprecated
 @Singleton

gwtp-core/gwtp-dispatch-rpc-server-spring/src/main/java/com/gwtplatform/dispatch/rpc/server/spring/HttpSessionSecurityCookieFilter.java

@@ -23,6 +23,11 @@
 
 import com.gwtplatform.dispatch.rpc.server.AbstractHttpSessionSecurityCookieFilter;
 
+/**
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.spring.RandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
+ */
+@Deprecated
 public class HttpSessionSecurityCookieFilter extends AbstractHttpSessionSecurityCookieFilter {
     public HttpSessionSecurityCookieFilter(String securityCookieName) {
         super(securityCookieName);

gwtp-core/gwtp-dispatch-rpc-server-spring/src/main/java/com/gwtplatform/dispatch/server/spring/HttpSessionSecurityCookieFilter.java

@@ -24,7 +24,8 @@
 import com.gwtplatform.dispatch.server.AbstractHttpSessionSecurityCookieFilter;
 
 /**
- * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.spring.HttpSessionSecurityCookieFilter}.
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.spring.RandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
  */
 @Deprecated
 public class HttpSessionSecurityCookieFilter extends AbstractHttpSessionSecurityCookieFilter {

gwtp-core/gwtp-dispatch-rpc-server/src/main/java/com/gwtplatform/dispatch/rpc/server/AbstractHttpSessionSecurityCookieFilter.java

@@ -40,7 +40,11 @@
  * </pre>
  * <p/>
  * You also have to use a {@code .jsp} file instead of a {@code .html} as your main GWT file.
+ *
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.AbstractRandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
  */
+@Deprecated
 public abstract class AbstractHttpSessionSecurityCookieFilter implements Filter {
 
     private final String securityCookieName;

gwtp-core/gwtp-dispatch-rpc-server/src/main/java/com/gwtplatform/dispatch/rpc/server/AbstractRandomSecurityCookieFilter.java

@@ -32,9 +32,7 @@
 
 /**
  * This filter will automatically inject a security cookie inside the request the first time the page is loaded. This
- * security cookie is a simple randomly generated number, and might be slightly less secure than
- * {@link com.gwtplatform.dispatch.rpc.server.guice.HttpSessionSecurityCookieFilter}, although it will work even if you
- * don't have access to an {@link javax.servlet.http.HttpSession}. To setup this filter, add the following line at
+ * security cookie is a simple randomly generated number. To setup this filter, add the following line 
  * before any other {@code serve} call in your own {@link com.google.inject.servlet.ServletModule#configureServlets}:
  * <p/>
  * <pre>

gwtp-core/gwtp-dispatch-rpc-server/src/main/java/com/gwtplatform/dispatch/server/AbstractHttpSessionSecurityCookieFilter.java

@@ -41,7 +41,8 @@
  * <p/>
  * You also have to use a {@code .jsp} file instead of a {@code .html} as your main GWT file.
  *
- * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.AbstractHttpSessionSecurityCookieFilter}.
+ * @deprecated Please use {@link com.gwtplatform.dispatch.rpc.server.AbstractRandomSecurityCookieFilter}.
+ * Using the JSESSIONID like this might let an XSS attacker hijack a session. See GitHub issue #484
  */
 @Deprecated
 public abstract class AbstractHttpSessionSecurityCookieFilter implements Filter {