[MINOR] Updated shiro.ini.template to include secure cookie option
### What is this PR for?
Based on discussion in https://github.com/apache/zeppelin/pull/2545 , I'm updating the shiro.ini.template to include secure cookie option. With this change, Zeppelin Shiro will always set 'HttpOnly' flag in cookie. This will help to prevent majority of cross-site scripting (XSS) attacks.
### What type of PR is it?
Minor Improvement
### What is the Jira issue?
Minor change in shiro.ini
### How should this be tested?
CI tests should pass
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Doc changes already done in https://github.com/apache/zeppelin/pull/2545
Author: Vipin Rathor <v.rathor@gmail.com>
Closes #2550 from VipinRathor/fix-shiro-template and squashes the following commits:
6339243 [Vipin Rathor] Commenting out secure flag for Zeppelin cookies in shiro.ini.template Added description as well.
1da09cf [Vipin Rathor] [MINOR] Updated shiro.init.template to include secure cookie option
(cherry picked from commit 2437c8029c1f84460932ec65833ada356c3fc461)
Signed-off-by: Lee moon soo <moon@apache.org>
diff --git a/conf/shiro.ini.template b/conf/shiro.ini.template
index 0a3187a..5b3bb6c 100644
--- a/conf/shiro.ini.template
+++ b/conf/shiro.ini.template
@@ -61,6 +61,14 @@
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
+### Enables 'HttpOnly' flag in Zeppelin cookies
+cookie = org.apache.shiro.web.servlet.SimpleCookie
+cookie.name = JSESSIONID
+cookie.httpOnly = true
+### Uncomment the below line only when Zeppelin is running over HTTPS
+#cookie.secure = true
+sessionManager.sessionIdCookie = $cookie
+
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
