MINOR: http: add support for "httponly" and "secure" cookie attributes

   httponly  This option tells haproxy to add an "HttpOnly" cookie attribute
             when a cookie is inserted. This attribute is used so that a
             user agent doesn't share the cookie with non-HTTP components.
             Please check RFC6265 for more information on this attribute.

   secure    This option tells haproxy to add a "Secure" cookie attribute when
             a cookie is inserted. This attribute is used so that a user agent
             never emits this cookie over non-secure channels, which means
             that a cookie learned with this flag will be presented only over
             SSL/TLS connections. Please check RFC6265 for more information on
             this attribute.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1253357b0a6426f87dcb5118f25e1d4f5bf9eff7..b7ca28d09b0986672772f0294238d0f79075b187 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1891,8 +1891,8 @@ contimeout <timeout> (deprecated)
 
 
 cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
-              [ postonly ] [ preserve ] [ domain <domain> ]*
-              [ maxidle <idle> ] [ maxlife <life> ]
+              [ postonly ] [ preserve ] [ httponly ] [ secure ]
+              [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
   Enable cookie-based persistence in a backend.
   May be used in sections :   defaults | frontend | listen | backend
                                  yes   |    no    |   yes  |   yes
@@ -1990,6 +1990,18 @@ cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
               shutdown because users will definitely leave the server after
               they logout.
 
+    httponly  This option tells haproxy to add an "HttpOnly" cookie attribute
+              when a cookie is inserted. This attribute is used so that a
+              user agent doesn't share the cookie with non-HTTP components.
+              Please check RFC6265 for more information on this attribute.
+
+    secure    This option tells haproxy to add a "Secure" cookie attribute when
+              a cookie is inserted. This attribute is used so that a user agent
+              never emits this cookie over non-secure channels, which means
+              that a cookie learned with this flag will be presented only over
+              SSL/TLS connections. Please check RFC6265 for more information on
+              this attribute.
+
     domain    This option allows to specify the domain at which a cookie is
               inserted. It requires exactly one parameter: a valid domain
               name. If the domain begins with a dot, the browser is allowed to

diff --git a/include/types/proxy.h b/include/types/proxy.h
index 1da0f9ddb03e7fc69a43948f54b24eb6ea847e20..53dd96d7b7c07675a2b5c8aabb05b4b6705ffe23 100644 (file)
--- a/include/types/proxy.h
+++ b/include/types/proxy.h
@@ -169,6 +169,8 @@ enum {
 #define PR_CK_NOC       0x00000010      /* add a 'Cache-control' header with the cookie */
 #define PR_CK_POST      0x00000020      /* don't insert cookies for requests other than a POST */
 #define PR_CK_PSV       0x00000040      /* cookie ... preserve */
+#define PR_CK_HTTPONLY  0x00000080      /* emit the "HttpOnly" attribute */
+#define PR_CK_SECURE    0x00000100      /* emit the "Secure" attribute */
 
 /* bits for sticking rules */
 #define STK_IS_MATCH   0x00000001      /* match on request fetch */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index a7aade5aa6b864caf396d94232a8827d7674c48e..5f8cb9675fa259eee3ca8e4952006c920e028e1b 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2161,6 +2161,12 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
                        else if (!strcmp(args[cur_arg], "prefix")) {
                                curproxy->ck_opts |= PR_CK_PFX;
                        }
+                       else if (!strcmp(args[cur_arg], "httponly")) {
+                               curproxy->ck_opts |= PR_CK_HTTPONLY;
+                       }
+                       else if (!strcmp(args[cur_arg], "secure")) {
+                               curproxy->ck_opts |= PR_CK_SECURE;
+                       }
                        else if (!strcmp(args[cur_arg], "domain")) {
                                if (!*args[cur_arg + 1]) {
                                        Alert("parsing [%s:%d]: '%s' expects <domain> as argument.\n",

diff --git a/src/proto_http.c b/src/proto_http.c
index 02537ff40ab845a2eeda7f7dc66a5415fc2f9ac0..7eeb4f64a20664127efdcaf78a0729ff8150e6c4 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -5085,6 +5085,12 @@ int http_process_res_common(struct session *t, struct buffer *rep, int an_bit, s
                        if (t->be->cookie_domain)
                                len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain);
 
+                       if (t->be->ck_opts & PR_CK_HTTPONLY)
+                               len += sprintf(trash+len, "; HttpOnly");
+
+                       if (t->be->ck_opts & PR_CK_SECURE)
+                               len += sprintf(trash+len, "; Secure");
+
                        if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0))
                                goto return_bad_resp;