1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "mod_session.h"
19 #include "apr_strings.h"
21 #include "util_cookies.h"
23 #define LOG_PREFIX "mod_session_cookie: "
24 #define MOD_SESSION_COOKIE "mod_session_cookie"
26 module AP_MODULE_DECLARE_DATA session_cookie_module;
29 * Structure to carry the per-dir session config.
34 const char *name_attrs;
37 const char *name2_attrs;
40 } session_cookie_dir_conf;
43 * Set the cookie and embed the session within it.
45 * This function adds an RFC2109 compliant Set-Cookie header for
46 * the cookie specified in SessionCookieName, and an RFC2965 compliant
47 * Set-Cookie2 header for the cookie specified in SessionCookieName2.
49 * If specified, the optional cookie attributes will be added to
50 * each cookie. If defaults are not specified, DEFAULT_ATTRS
53 * On success, this method will return APR_SUCCESS.
55 * @param r The request pointer.
56 * @param z A pointer to where the session will be written.
58 static int session_cookie_save(request_rec * r, session_rec * z)
61 session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
62 &session_cookie_module);
64 /* don't cache auth protected pages */
65 apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
67 /* create RFC2109 compliant cookie */
69 if (z->encoded && z->encoded[0]) {
70 ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs,
71 z->maxage, r->headers_out, r->err_headers_out,
75 ap_cookie_remove(r, conf->name, conf->name_attrs, r->headers_out,
76 r->err_headers_out, NULL);
80 /* create RFC2965 compliant cookie */
81 if (conf->name2_set) {
82 if (z->encoded && z->encoded[0]) {
83 ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs,
84 z->maxage, r->headers_out, r->err_headers_out,
88 ap_cookie_remove2(r, conf->name2, conf->name2_attrs,
89 r->headers_out, r->err_headers_out, NULL);
93 if (conf->name_set || conf->name2_set) {
101 * Isolate the cookie with the name "name", and if present, extract
102 * the payload from the cookie.
104 * If the cookie is found, the cookie and any other cookies with the
105 * same name are removed from the cookies passed in the request, so
106 * that credentials are not leaked to a backend server or process.
108 * A missing or malformed cookie will cause this function to return
111 * On success, this returns APR_SUCCESS.
113 static int session_cookie_load(request_rec * r, session_rec ** z)
116 session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
117 &session_cookie_module);
119 session_rec *zz = NULL;
120 const char *val = NULL;
121 const char *note = NULL;
122 const char *name = NULL;
125 /* find the first redirect */
129 /* find the main request */
134 /* is our session in a cookie? */
135 if (conf->name2_set) {
138 else if (conf->name_set) {
145 /* first look in the notes */
146 note = apr_pstrcat(m->pool, MOD_SESSION_COOKIE, name, NULL);
147 zz = (session_rec *)apr_table_get(m->notes, note);
153 /* otherwise, try parse the cookie */
154 ap_cookie_read(r, name, &val, conf->remove);
156 /* create a new session and return it */
157 zz = (session_rec *) apr_pcalloc(m->pool, sizeof(session_rec));
159 zz->entries = apr_table_make(m->pool, 10);
161 zz->uuid = (apr_uuid_t *) apr_pcalloc(m->pool, sizeof(apr_uuid_t));
164 /* put the session in the notes so we don't have to parse it again */
165 apr_table_setn(m->notes, note, (char *)zz);
173 static void *create_session_cookie_dir_config(apr_pool_t * p, char *dummy)
175 session_cookie_dir_conf *new =
176 (session_cookie_dir_conf *) apr_pcalloc(p, sizeof(session_cookie_dir_conf));
181 static void *merge_session_cookie_dir_config(apr_pool_t * p, void *basev,
184 session_cookie_dir_conf *new = (session_cookie_dir_conf *)
185 apr_pcalloc(p, sizeof(session_cookie_dir_conf));
186 session_cookie_dir_conf *add = (session_cookie_dir_conf *) addv;
187 session_cookie_dir_conf *base = (session_cookie_dir_conf *) basev;
189 new->name = (add->name_set == 0) ? base->name : add->name;
190 new->name_attrs = (add->name_set == 0) ? base->name_attrs : add->name_attrs;
191 new->name_set = add->name_set || base->name_set;
192 new->name2 = (add->name2_set == 0) ? base->name2 : add->name2;
193 new->name2_attrs = (add->name2_set == 0) ? base->name2_attrs : add->name2_attrs;
194 new->name2_set = add->name2_set || base->name2_set;
195 new->remove = (add->remove_set == 0) ? base->remove : add->remove;
196 new->remove_set = add->remove_set || base->remove_set;
202 * Sanity check a given string that it exists, is not empty,
203 * and does not contain special characters.
205 static const char *check_string(cmd_parms * cmd, const char *string)
207 if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&')) {
208 return apr_pstrcat(cmd->pool, cmd->directive->directive,
209 " cannot be empty, or contain '=' or '&'.",
215 static const char *set_cookie_name(cmd_parms * cmd, void *config,
219 char *line = apr_pstrdup(cmd->pool, args);
220 session_cookie_dir_conf *conf = (session_cookie_dir_conf *) config;
221 char *cookie = apr_strtok(line, " \t", &last);
224 while (apr_isspace(*last)) {
227 conf->name_attrs = last;
228 return check_string(cmd, cookie);
231 static const char *set_cookie_name2(cmd_parms * cmd, void *config,
235 char *line = apr_pstrdup(cmd->pool, args);
236 session_cookie_dir_conf *conf = (session_cookie_dir_conf *) config;
237 char *cookie = apr_strtok(line, " \t", &last);
238 conf->name2 = cookie;
240 while (apr_isspace(*last)) {
243 conf->name2_attrs = last;
244 return check_string(cmd, cookie);
248 set_remove(cmd_parms * parms, void *dconf, int flag)
250 session_cookie_dir_conf *conf = dconf;
253 conf->remove_set = 1;
258 static const command_rec session_cookie_cmds[] =
260 AP_INIT_RAW_ARGS("SessionCookieName", set_cookie_name, NULL, RSRC_CONF|OR_AUTHCFG,
261 "The name of the RFC2109 cookie carrying the session"),
262 AP_INIT_RAW_ARGS("SessionCookieName2", set_cookie_name2, NULL, RSRC_CONF|OR_AUTHCFG,
263 "The name of the RFC2965 cookie carrying the session"),
264 AP_INIT_FLAG("SessionCookieRemove", set_remove, NULL, RSRC_CONF|OR_AUTHCFG,
265 "Set to 'On' to remove the session cookie from the headers "
266 "and hide the cookie from a backend server or process"),
270 static void register_hooks(apr_pool_t * p)
272 ap_hook_session_load(session_cookie_load, NULL, NULL, APR_HOOK_MIDDLE);
273 ap_hook_session_save(session_cookie_save, NULL, NULL, APR_HOOK_MIDDLE);
276 AP_DECLARE_MODULE(session_cookie) =
278 STANDARD20_MODULE_STUFF,
279 create_session_cookie_dir_config, /* dir config creater */
280 merge_session_cookie_dir_config, /* dir merger --- default is to
282 NULL, /* server config */
283 NULL, /* merge server config */
284 session_cookie_cmds, /* command apr_table_t */
285 register_hooks /* register hooks */