-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
+ SameSite attribute. [Eric Covener]
+
*) Update DOCTYPE tags in server-generated HTML. PR62989.
[Andra Farkas <deepbluemistake gmail.com>, Giovanni Bechis <giovanni paclan.it>]
<tr>
<td>cookie|CO=<em>NAME</em>:<em>VAL</em></td>
<td>Sets a cookie in the client browser. Full syntax is:
- CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em>
+ CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>
[<em>samesite</em>]]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em>
</td>
</tr>
<tr>
<section id="flag_co"><title>CO|cookie</title>
<p>The [CO], or [cookie] flag, allows you to set a cookie when a
particular <directive module="mod_rewrite">RewriteRule</directive>
-matches. The argument consists of three required fields and four optional
+matches. The argument consists of three required fields and five optional
fields.</p>
<p>The full syntax for the flag, including all attributes, is as
follows:</p>
<example>
-[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly]
+[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly:samesite]
</example>
<p>If a literal ':' character is needed in any of the cookie fields, an
specified as ';'.</p>
<example>
-[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly]
+[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly;samesite]
</example>
<p>You must declare a name, a value, and a domain for the cookie to be set.</p>
which means that the cookie is inaccessible to JavaScript code on
browsers that support this feature.</dd>
</dl>
+<dt>samesite</dt>
+<dd>If set to anything other than <code>0</code>, the <code>SameSite</code>
+attribute is set to the specified value. Typical values are <code>None</code>,
+<code>Lax</code>, and <code>Strict</code>.Available in 2.5.1 and later.</dd>
+</dl>
+
<p>Consider this example:</p>
char *path;
char *secure;
char *httponly;
+ char *samesite;
char *tok_cntx;
char *cookie;
path = expires ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
secure = path ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
httponly = secure ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
+ samesite = httponly ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
if (expires) {
apr_time_exp_t tms;
"; HttpOnly" : NULL,
NULL);
+ if (samesite && !strcasecmp(samesite, "0")) {
+ cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=",
+ samesite, NULL);
+ }
+
apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie);
apr_pool_userdata_set("set", notename, NULL, rmain->pool);
rewritelog(rmain, 5, NULL, "setting cookie '%s'", cookie);
projects / thirdparty / apache / httpd.git / commitdiff
