From 340f9be22201d8417c765773e5a68981332b0242 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Fri, 6 Mar 2020 01:12:07 +0000 Subject: [PATCH] Merge r1874389, r1874480, r1874601 from trunk: PR64077: samesite/httponly/secure flags for usertrack Submitted By: Prashant Keshvani , Eric Covener Committed By: covener * Whitespace fix Remove duplicated "CookieTracking" directive in 'command_rec'. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874863 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 9 +++-- docs/manual/mod/mod_usertrack.xml | 67 +++++++++++++++++++++++++++++++ modules/metadata/mod_usertrack.c | 53 ++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 6f53cb216c2..7842400ef29 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 - *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy - AJP13 authentication. PR 53098. [Dmitry A. Bakshaev ] - - *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms. + *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure + to allow customization of the usertrack cookie. PR64077. + [Prashant Keshvani , Eric Covener] + + *) mpm_event: avoid possible KeepAlveTimeout off by -100 ms. [Eric Covener, Yann Ylavic] *) Add a config layout for OpenWRT. [Graham Leggett] diff --git a/docs/manual/mod/mod_usertrack.xml b/docs/manual/mod/mod_usertrack.xml index 564c55ed8f3..bc383222704 100644 --- a/docs/manual/mod/mod_usertrack.xml +++ b/docs/manual/mod/mod_usertrack.xml @@ -222,4 +222,71 @@ CustomLog "logs/clickstream.log" usertrack + +CookieSecure +Adds the 'Secure' attribute to the cookie +CookieSecure on|off +CookieSecure off + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'ON', the 'Secure' cookie attribute is added to this + modules tracking cookie. This attribute instructs browsers to only + transmit the cookie over HTTPS.

+ + + + +CookieHTTPOnly +Adds the 'HTTPOnly' attribute to the cookie +CookieHTTPOnlyon|off +CookieHTTPOnlyoff + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'ON', the 'HTTPOnly' cookie attribute is added to this + modules tracking cookie. This attribute instructs browsers to block javascript + from reading the value of the cookie

+ + + + +CookieSameSite +Adds the 'SameSite' attribute to the cookie +CookieSameSite None|Lax|Strict +unset + +server config +virtual host +directory +.htaccess + +FileInfo + + +

When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute + is added to this modules tracking cookie with the corresponding value. + This attribute instructs browser on how to treat the cookie when it is + requested in a cross-site context.

+ + +

A value of 'None' sets 'SameSite=None', which is the most liberal setting. To + omit this attribute, omit the directive entirely.

+ + + + + diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c index 73a9f45cc61..09a7d9d9f66 100644 --- a/modules/metadata/mod_usertrack.c +++ b/modules/metadata/mod_usertrack.c @@ -86,6 +86,9 @@ typedef struct { const char *cookie_domain; char *regexp_string; /* used to compile regexp; save for debugging */ ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */ + int is_secure; + int is_httponly; + const char *samesite; } cookie_dir_rec; /* Make Cookie: Now we have to generate something that is going to be @@ -143,6 +146,21 @@ static void make_cookie(request_rec *r) : ""), NULL); } + if (dcfg->samesite != NULL) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; ", + dcfg->samesite, + NULL); + } + if (dcfg->is_secure) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure", + NULL); + } + if (dcfg->is_httponly) { + new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly", + NULL); + } + + apr_table_addn(r->err_headers_out, (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"), @@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d) dcfg->cookie_domain = NULL; dcfg->style = CT_UNSET; dcfg->enabled = 0; + /* calloc'ed to disabled: samesite, is_secure, is_httponly */ /* In case the user does not use the CookieName directive, * we need to compile the regexp for the default cookie name. */ @@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig, return NULL; } +/* + * SameSite enabled disabled + */ + +static const char *set_samesite_value(cmd_parms *cmd, void *mconfig, + const char *name) +{ + cookie_dir_rec *dcfg; + + dcfg = (cookie_dir_rec *) mconfig; + + if (strcasecmp(name, "strict") == 0) { + dcfg->samesite = "SameSite=Strict"; + } else if (strcasecmp(name, "lax") == 0) { + dcfg->samesite = "SameSite=Lax"; + } else if (strcasecmp(name, "none") == 0) { + dcfg->samesite = "SameSite=None"; + } else { + return "CookieSameSite accepts 'Strict', 'Lax', or 'None'"; + } + + + return NULL; +} + static const command_rec cookie_log_cmds[] = { AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO, "an expiry date code"), @@ -440,6 +484,15 @@ static const command_rec cookie_log_cmds[] = { "whether or not to enable cookies"), AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO, "name of the tracking cookie"), + AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO, + "SameSite setting"), + AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, + (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO, + "is cookie secure"), + AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, + (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO, + "is cookie http only"), + {NULL} }; -- 2.47.3