From: Ruediger Pluem <rpluem@apache.org>
Date: Sat, 12 Apr 2008 08:44:36 +0000 (+0000)
Subject: * Allow Cookie option to set secure and HttpOnly flags
X-Git-Tag: 2.3.0~731
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93a75ba455053a96416ad2bd922c8072d84f1f8e;p=thirdparty%2Fapache%2Fhttpd.git

* Allow Cookie option to set secure and HttpOnly flags

PR: 44799
Submitted by: Christian Wenz <christian wenz.org>
Reviewed by: rpluem



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@647395 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ddd72a90958..101afc7de9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
+     PR 44799 [Christian Wenz <christian wenz.org>]
+
   *) Move the KeptBodySize directive, kept_body filters and the
      ap_parse_request_body function out of the http module and into a
      new module called mod_request, reducing the size of the core.
diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml
index c68253f4a5b..eb9af09601e 100644
--- a/docs/manual/mod/mod_rewrite.xml
+++ b/docs/manual/mod/mod_rewrite.xml
@@ -1251,14 +1251,18 @@ cannot use <code>$N</code> in the substitution string!
         when you let an external redirect happen (where the
         ``<code>.www</code>'' part should not occur!).</dd>
 
-        <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>]]'
+        <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]]'
         (set cookie)</dt><dd>
         This sets a cookie in the client's browser.  The cookie's name
         is specified by <em>NAME</em> and the value is
         <em>VAL</em>. The <em>domain</em> field is the domain of the
         cookie, such as '.apache.org', the optional <em>lifetime</em>
-	is the lifetime of the cookie in minutes, and the optional 
-	<em>path</em> is the path of the cookie</dd>
+        is the lifetime of the cookie in minutes, and the optional 
+        <em>path</em> is the path of the cookie. If <em>secure</em>
+        is set to 'true' or '1', the cookie is only transmitted via secured
+        connections. If <em>httponly</em> is set to any string, the
+        <code>HttpOnly</code> flag is used, making the cookie not accessible
+        to JavaScript code on browsers that support this feature.</dd>
 
         <dt>
         '<code>env|E=</code><em>VAR</em>:<em>VAL</em>'
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index c490b5accda..4efd7cfa884 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -2444,6 +2444,8 @@ static void add_cookie(request_rec *r, char *s)
     char *domain;
     char *expires;
     char *path;
+    char *secure;
+    char *httponly;
 
     char *tok_cntx;
     char *cookie;
@@ -2468,6 +2470,8 @@ static void add_cookie(request_rec *r, char *s)
 
             expires = apr_strtok(NULL, ":", &tok_cntx);
             path = expires ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
+            secure = path ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
+            httponly = secure ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
 
             if (expires) {
                 apr_time_exp_t tms;
@@ -2488,6 +2492,8 @@ static void add_cookie(request_rec *r, char *s)
                                  "; domain=", domain,
                                  expires ? "; expires=" : NULL,
                                  expires ? exp_time : NULL,
+                                 (strcasecmp(secure, "true") == 0 || strcasecmp(secure, "1") == 0) ? "; secure" : NULL,
+                                 httponly ? "; HttpOnly" : NULL, 
                                  NULL);
 
             apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie);