From: Stefan Fritsch <sf@apache.org>
Date: Wed, 9 Nov 2011 21:43:49 +0000 (+0000)
Subject: Use random value instead of remote IP address in cookie value. This has the
X-Git-Tag: 2.3.16~224
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29a8aa54bb6b7a62395719541ae75b1d9e46ae07;p=thirdparty%2Fapache%2Fhttpd.git

Use random value instead of remote IP address in cookie value. This has the
advantage that we don't leak internal IP addresses in reverse proxy setups.
Also, use hex to make the cookie shorter.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1199987 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 72bbddb1867..335e1368243 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.16
 
+  *) mod_usertrack: Use random value instead of remote IP address.
+     [Stefan Fritsch]
 
 Changes with Apache 2.3.15
 
diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
index 681aac5dad4..d94f283678a 100644
--- a/modules/metadata/mod_usertrack.c
+++ b/modules/metadata/mod_usertrack.c
@@ -97,19 +97,16 @@ static void make_cookie(request_rec *r)
 {
     cookie_log_state *cls = ap_get_module_config(r->server->module_config,
                                                  &usertrack_module);
-    /* 1024 == hardcoded constant */
-    char cookiebuf[1024];
+    char cookiebuf[2 * (sizeof(apr_uint64_t) + sizeof(int)) + 2];
+    unsigned int random;
+    apr_time_t now = r->request_time ? r->request_time : apr_time_now();
     char *new_cookie;
-    const char *rname = ap_get_remote_host(r->connection, r->per_dir_config,
-                                           REMOTE_NAME, NULL);
     cookie_dir_rec *dcfg;
 
+    ap_random_insecure_bytes(&random, sizeof(random));
+    apr_snprintf(cookiebuf, sizeof(cookiebuf), "%x.%" APR_UINT64_T_HEX_FMT,
+                 random, (apr_uint64_t)now);
     dcfg = ap_get_module_config(r->per_dir_config, &usertrack_module);
-
-    /* XXX: hmm, this should really tie in with mod_unique_id */
-    apr_snprintf(cookiebuf, sizeof(cookiebuf), "%s.%" APR_TIME_T_FMT, rname,
-                 apr_time_now());
-
     if (cls->expires) {
 
         /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */