From: Ruediger Pluem Date: Tue, 27 May 2008 15:49:30 +0000 (+0000) Subject: * Make setting of HttpOnly flag more explicit. X-Git-Tag: 2.3.0~578 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c506a9d1a7debf5b8c562e1bd965ed95e62371e0;p=thirdparty%2Fapache%2Fhttpd.git * Make setting of HttpOnly flag more explicit. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@660566 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index c995ab82f25..c9e4fa0af15 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -1260,7 +1260,7 @@ cannot use $N in the substitution string! is the lifetime of the cookie in minutes, and the optional path is the path of the cookie. If secure is set to 'true' or '1', the cookie is only transmitted via secured - connections. If httponly is set to any string, the + connections. If httponly is set to 'true' or '1', the HttpOnly flag is used, making the cookie inaccessible to JavaScript code on browsers that support this feature. diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 91d2a69090e..4abf898db62 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2492,10 +2492,12 @@ static void add_cookie(request_rec *r, char *s) "; domain=", domain, expires ? "; expires=" : NULL, expires ? exp_time : NULL, - secure ? ((strcasecmp(secure, "true") == 0 - || strcasecmp(secure, "1") == 0) ? - "; secure" : NULL) : NULL, - httponly ? "; HttpOnly" : NULL, + (secure && (!strcasecmp(secure, "true") + || !strcasecmp(secure, "1"))) ? + "; secure" : NULL, + (httponly && (!strcasecmp(httponly, "true") + || !strcasecmp(httponly, "1"))) ? + "; HttpOnly" : NULL, NULL); apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie);