From: Eric Covener Date: Sat, 22 Feb 2020 17:10:10 +0000 (+0000) Subject: PR64077: samesite/httponly/secure flags for usertrack X-Git-Tag: 2.5.0-alpha2-ci-test-only~1627 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fd6207efa1b44c03c53f8cc4917da78c19e95a7;p=thirdparty%2Fapache%2Fhttpd.git PR64077: samesite/httponly/secure flags for usertrack Submitted By: Prashant Keshvani , Eric Covener Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874389 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 552d37dbdf7..df84a145c18 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + + *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure + to allow customization of the usertrack cookie. PR64077. + [Prashant Keshvani , Eric Covener] + *) mpm_event: avoid possible KeepAlveTimeout off by -100 ms. [Eric Covener, Yann Ylavic] diff --git a/docs/manual/mod/mod_usertrack.xml b/docs/manual/mod/mod_usertrack.xml index 564c55ed8f3..bc383222704 100644 --- a/docs/manual/mod/mod_usertrack.xml +++ b/docs/manual/mod/mod_usertrack.xml @@ -222,4 +222,71 @@ CustomLog "logs/clickstream.log" usertrack + +CookieSecure +Adds the 'Secure' attribute to the cookie +CookieSecure on|off +CookieSecure off + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'ON', the 'Secure' cookie attribute is added to this + modules tracking cookie. This attribute instructs browsers to only + transmit the cookie over HTTPS.

+ + + + +CookieHTTPOnly +Adds the 'HTTPOnly' attribute to the cookie +CookieHTTPOnlyon|off +CookieHTTPOnlyoff + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'ON', the 'HTTPOnly' cookie attribute is added to this + modules tracking cookie. This attribute instructs browsers to block javascript + from reading the value of the cookie

+ + + + +CookieSameSite +Adds the 'SameSite' attribute to the cookie +CookieSameSite None|Lax|Strict +unset + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute + is added to this modules tracking cookie with the corresponding value. + This attribute instructs browser on how to treat the cookie when it is + requested in a cross-site context.

+ + +

A value of 'None' sets 'SameSite=None', which is the most liberal setting. To + omit this attribute, omit the directive entirely.

+ + + + + diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c index 73a9f45cc61..65759c2120e 100644 --- a/modules/metadata/mod_usertrack.c +++ b/modules/metadata/mod_usertrack.c @@ -86,6 +86,9 @@ typedef struct { const char *cookie_domain; char *regexp_string; /* used to compile regexp; save for debugging */ ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */ + int is_secure; + int is_httponly; + const char *samesite; } cookie_dir_rec; /* Make Cookie: Now we have to generate something that is going to be @@ -143,6 +146,21 @@ static void make_cookie(request_rec *r) : ""), NULL); } + if (dcfg->samesite != NULL) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; ", + dcfg->samesite, + NULL); + } + if (dcfg->is_secure) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure", + NULL); + } + if (dcfg->is_httponly) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly", + NULL); + } + + apr_table_addn(r->err_headers_out, (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"), @@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d) dcfg->cookie_domain = NULL; dcfg->style = CT_UNSET; dcfg->enabled = 0; + /* calloc'ed to disabled: samesite, is_secure, is_httponly */ /* In case the user does not use the CookieName directive, * we need to compile the regexp for the default cookie name. */ @@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig, return NULL; } +/* + * SameSite enabled disabled + */ + +static const char *set_samesite_value(cmd_parms *cmd, void *mconfig, + const char *name) +{ + cookie_dir_rec *dcfg; + + dcfg = (cookie_dir_rec *) mconfig; + + if (strcasecmp(name, "strict") == 0) { + dcfg->samesite = "SameSite=Strict"; + } else if (strcasecmp(name, "lax") == 0) { + dcfg->samesite = "SameSite=Lax"; + } else if (strcasecmp(name, "none") == 0) { + dcfg->samesite = "SameSite=None"; + } else { + return "CookieSameSite accepts 'Strict', 'Lax', or 'None'"; + } + + + return NULL; +} + static const command_rec cookie_log_cmds[] = { AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO, "an expiry date code"), @@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = { "whether or not to enable cookies"), AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO, "name of the tracking cookie"), + AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO, + "whether or not to enable cookies"), + AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO, + "SameSite setting"), + AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, + (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO, + "is cookie secure"), + AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, + (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO, + "is cookie http only"), + {NULL} };