From: Eric Covener <covener@apache.org>
Date: Mon, 2 Mar 2020 00:58:36 +0000 (+0000)
Subject: PR56040: add SessionCookieMaxAge On/Off
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1602
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b7a8cc7c125b727c7757c1cb286ef1b53c7e25b;p=thirdparty%2Fapache%2Fhttpd.git

PR56040: add SessionCookieMaxAge On/Off

Allows mod_session cookies to out as "session" cookies.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874675 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 63bdafeed25..8786b51d51c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_session_cookie: Add SessionCookieMaxAge to allow the mod_session
+     cookie to be sent as a "session cookie" with no expiration even when the
+     SessionMaxAge will be enforced on the server. PR56040 [Eric Covener]
+
   *) mod_session: Fix an issue that blocked new sessions being created after
      session expiration or other session errors. PR56052 [Eric Covener]
 
diff --git a/docs/manual/mod/mod_session_cookie.xml b/docs/manual/mod/mod_session_cookie.xml
index 5f9bc6a8fca..d9424fce042 100644
--- a/docs/manual/mod/mod_session_cookie.xml
+++ b/docs/manual/mod/mod_session_cookie.xml
@@ -169,4 +169,31 @@ SessionCookieName2 session path=/private;domain=example.com;httponly;secure;vers
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SessionCookieMaxAge</name>
+<description>Control whether session cookies have Max-Age transmitted to the client</description>
+<syntax>SessionCookieMaxAge On|Off</syntax>
+<default>SessionCookieMaxAge On</default>
+<contextlist><context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+    <p>The <directive>SessionCookieMaxAge</directive> flag controls whether 
+    the session expiration will be specified in the Max-Age attribute on the 
+    cookie sent to the client.  When set to 'Off', the attribtue will not be
+    added and clients will only return the cookie until "the current
+    session is over". This often means until the browser is closed.  </p>
+
+    <p>The expiration of the session is still validated on the server by
+    the <directive module="mod_session">SessionMaxAge</directive> directive.
+    </p>
+
+</usage>
+</directivesynopsis>
+
+
 </modulesynopsis>
diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c
index 25ca16e2424..d91cad2be6a 100644
--- a/modules/session/mod_session_cookie.c
+++ b/modules/session/mod_session_cookie.c
@@ -36,6 +36,8 @@ typedef struct {
     const char *name2_attrs;
     int remove;
     int remove_set;
+    int maxage;
+    int maxage_set;
 } session_cookie_dir_conf;
 
 /**
@@ -59,12 +61,13 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
 
     session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
                                                     &session_cookie_module);
+    int maxage = conf->maxage ? z->maxage : 0;
 
     /* create RFC2109 compliant cookie */
     if (conf->name_set) {
         if (z->encoded && z->encoded[0]) {
             ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs,
-                            z->maxage, r->err_headers_out,
+                            maxage, r->err_headers_out,
                             NULL);
         }
         else {
@@ -77,7 +80,7 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
     if (conf->name2_set) {
         if (z->encoded && z->encoded[0]) {
             ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs,
-                             z->maxage, r->err_headers_out,
+                             maxage, r->err_headers_out,
                              NULL);
         }
         else {
@@ -172,6 +175,7 @@ static void *create_session_cookie_dir_config(apr_pool_t * p, char *dummy)
 {
     session_cookie_dir_conf *new =
     (session_cookie_dir_conf *) apr_pcalloc(p, sizeof(session_cookie_dir_conf));
+    new->maxage = 1;
 
     return (void *) new;
 }
@@ -192,6 +196,8 @@ static void *merge_session_cookie_dir_config(apr_pool_t * p, void *basev,
     new->name2_set = add->name2_set || base->name2_set;
     new->remove = (add->remove_set == 0) ? base->remove : add->remove;
     new->remove_set = add->remove_set || base->remove_set;
+    new->maxage = (add->maxage_set == 0) ? base->maxage : add->maxage;
+    new->maxage_set = add->maxage_set || base->maxage_set;
 
     return new;
 }
@@ -253,6 +259,16 @@ static const char *
     return NULL;
 }
 
+static const char *
+     set_maxage(cmd_parms * parms, void *dconf, int flag)
+{
+    session_cookie_dir_conf *conf = dconf;
+
+    conf->maxage = flag;
+    conf->maxage_set = 1;
+
+    return NULL;
+}
 static const command_rec session_cookie_cmds[] =
 {
     AP_INIT_RAW_ARGS("SessionCookieName", set_cookie_name, NULL, RSRC_CONF|OR_AUTHCFG,
@@ -262,6 +278,9 @@ static const command_rec session_cookie_cmds[] =
     AP_INIT_FLAG("SessionCookieRemove", set_remove, NULL, RSRC_CONF|OR_AUTHCFG,
                  "Set to 'On' to remove the session cookie from the headers "
                  "and hide the cookie from a backend server or process"),
+    AP_INIT_FLAG("SessionCookieMaxAge", set_maxage, NULL, RSRC_CONF|OR_AUTHCFG,
+                 "Set to 'Off' to disable propogating SessionMaxAge to the client"),
+
     {NULL}
 };