From: Graham Leggett Date: Sat, 30 Aug 2008 13:37:52 +0000 (+0000) Subject: mod_session_cookie, mod_session_dbd: Make sure cookies are set both X-Git-Tag: 2.3.0~328 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4ed2378c5ea9fe2e5d0669c681f4bbb930c82c9b;p=apache mod_session_cookie, mod_session_dbd: Make sure cookies are set both within the output headers and error output headers, so that the session is maintained across redirects. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@690501 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ccbecc42df..0bd0753f2a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both + within the output headers and error output headers, so that the + session is maintained across redirects. [Graham Leggett] + *) mod_auth_form: Make sure the logged in user is populated correctly after a form login. Fixes a missing REMOTE_USER variable directly following a login. [Graham Leggett] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index cc6e9941dc..713713df85 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -167,13 +167,14 @@ * proxy_worker struct. * 20080722.2 (2.3.0-dev) Add scolonsep to proxy_balancer * 20080829.0 (2.3.0-dev) Add cookie attributes when removing cookies + * 20080830.0 (2.3.0-dev) Cookies can be set on headers_out and err_headers_out * */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20080829 +#define MODULE_MAGIC_NUMBER_MAJOR 20080830 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/util_cookies.h b/include/util_cookies.h index eb7dfbfc73..262ff13f15 100644 --- a/include/util_cookies.h +++ b/include/util_cookies.h @@ -41,7 +41,7 @@ extern "C" { #define SET_COOKIE "Set-Cookie" #define SET_COOKIE2 "Set-Cookie2" #define DEFAULT_ATTRS "HttpOnly;Secure;Version=1" -#define CLEAR_ATTRS "Max-Age=0;Version=1" +#define CLEAR_ATTRS "Version=1" typedef struct { request_rec *r; @@ -60,9 +60,11 @@ typedef struct { * @param attrs The string containing additional cookie attributes. If NULL, the * DEFAULT_ATTRS will be used. * @param maxage If non zero, a Max-Age header will be added to the cookie. + * @param ... A varargs array of zero or more (apr_table_t *) tables followed by NULL + * to which the cookies should be added. */ AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val, - const char *attrs, long maxage); + const char *attrs, long maxage, ...); /** * Write an RFC2965 compliant cookie. @@ -73,9 +75,11 @@ AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, cons * @param attrs2 The string containing additional cookie attributes. If NULL, the * DEFAULT_ATTRS will be used. * @param maxage If non zero, a Max-Age header will be added to the cookie. + * @param ... A varargs array of zero or more (apr_table_t *) tables followed by NULL + * to which the cookies should be added. */ AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char *val, - const char *attrs2, long maxage); + const char *attrs2, long maxage, ...); /** * Remove an RFC2109 compliant cookie. @@ -84,8 +88,10 @@ AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, co * @param name The name of the cookie. * @param attrs The string containing additional cookie attributes. If NULL, the * CLEAR_ATTRS will be used. + * @param ... A varargs array of zero or more (apr_table_t *) tables followed by NULL + * to which the cookies should be added. */ -AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs); +AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs, ...); /** * Remove an RFC2965 compliant cookie. @@ -94,8 +100,10 @@ AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, con * @param name2 The name of the cookie. * @param attrs2 The string containing additional cookie attributes. If NULL, the * CLEAR_ATTRS will be used. + * @param ... A varargs array of zero or more (apr_table_t *) tables followed by NULL + * to which the cookies should be added. */ -AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2); +AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2, ...); /** * Read a cookie called name, placing its value in val. diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c index d8894f641b..b4895489e7 100644 --- a/modules/session/mod_session_cookie.c +++ b/modules/session/mod_session_cookie.c @@ -67,20 +67,20 @@ static int session_cookie_save(request_rec * r, session_rec * z) /* create RFC2109 compliant cookie */ if (conf->name_set) { if (z->encoded && z->encoded[0]) { - ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs, z->maxage); + ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs, z->maxage, r->headers_out, r->err_headers_out, NULL); } else { - ap_cookie_remove(r, conf->name, conf->name_attrs); + ap_cookie_remove(r, conf->name, conf->name_attrs, r->headers_out, r->err_headers_out, NULL); } } /* create RFC2965 compliant cookie */ if (conf->name2_set) { if (z->encoded && z->encoded[0]) { - ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs, z->maxage); + ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs, z->maxage, r->headers_out, r->err_headers_out, NULL); } else { - ap_cookie_remove2(r, conf->name2, conf->name2_attrs); + ap_cookie_remove2(r, conf->name2, conf->name2_attrs, r->headers_out, r->err_headers_out, NULL); } } diff --git a/modules/session/mod_session_dbd.c b/modules/session/mod_session_dbd.c index 37ad99d869..7df10cd82d 100644 --- a/modules/session/mod_session_dbd.c +++ b/modules/session/mod_session_dbd.c @@ -54,7 +54,7 @@ static void (*session_dbd_prepare_fn) (server_rec *, const char *, const char *) /** * Initialise the database. - * + * * If the mod_dbd module is missing, this method will return APR_EGENERAL. */ static apr_status_t dbd_init(request_rec *r, const char *query, ap_dbd_t **dbdp, @@ -86,7 +86,7 @@ static apr_status_t dbd_init(request_rec *r, const char *query, ap_dbd_t **dbdp, "failed to find the prepared statement called '%s'", query); return APR_EGENERAL; } - + *dbdp = dbd; *statementp = statement; @@ -374,7 +374,7 @@ static apr_status_t dbd_remove(request_rec * r, const char *key) /** * Clean out expired sessions. - * + * * TODO: We need to figure out a way to clean out expired sessions from the database. * The monitor hook doesn't help us that much, as we have no handle into the * server, and so we need to come up with a way to do this safely. @@ -431,12 +431,12 @@ static int session_dbd_save(request_rec * r, session_rec * z) /* create RFC2109 compliant cookie */ if (conf->name_set) { - ap_cookie_write(r, conf->name, buffer, conf->name_attrs, z->maxage); + ap_cookie_write(r, conf->name, buffer, conf->name_attrs, z->maxage, r->headers_out, r->err_headers_out, NULL); } /* create RFC2965 compliant cookie */ if (conf->name2_set) { - ap_cookie_write2(r, conf->name2, buffer, conf->name2_attrs, z->maxage); + ap_cookie_write2(r, conf->name2, buffer, conf->name2_attrs, z->maxage, r->headers_out, r->err_headers_out, NULL); } return OK; @@ -485,7 +485,7 @@ static void *create_session_dbd_dir_config(apr_pool_t * p, char *dummy) (session_dbd_dir_conf *) apr_pcalloc(p, sizeof(session_dbd_dir_conf)); new->remove = 1; - + new->selectlabel = "selectsession"; new->insertlabel = "insertsession"; new->updatelabel = "updatesession"; diff --git a/server/util_cookies.c b/server/util_cookies.c index 20aa5d02b5..82afba1b68 100644 --- a/server/util_cookies.c +++ b/server/util_cookies.c @@ -32,11 +32,13 @@ * @param maxage If non zero, a Max-Age header will be added to the cookie. */ AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val, - const char *attrs, long maxage) + const char *attrs, long maxage, ...) { char *buffer; char *rfc2109; + apr_table_t *t; + va_list vp; /* handle expiry */ buffer = ""; @@ -51,7 +53,13 @@ AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, cons attrs : DEFAULT_ATTRS, NULL); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX "user '%s' set cookie: '%s'", r->user, rfc2109); - apr_table_addn(r->headers_out, SET_COOKIE, rfc2109); + + /* write the cookie to the header table(s) provided */ + va_start(vp, maxage); + while ((t = va_arg(vp, apr_table_t *))) { + apr_table_addn(t, SET_COOKIE, rfc2109); + } + va_end(vp); return APR_SUCCESS; @@ -68,11 +76,13 @@ AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, cons * @param maxage If non zero, a Max-Age header will be added to the cookie. */ AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char *val, - const char *attrs2, long maxage) + const char *attrs2, long maxage, ...) { char *buffer; char *rfc2965; + apr_table_t *t; + va_list vp; /* handle expiry */ buffer = ""; @@ -87,7 +97,13 @@ AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, co attrs2 : DEFAULT_ATTRS, NULL); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX "user '%s' set cookie2: '%s'", r->user, rfc2965); - apr_table_addn(r->headers_out, SET_COOKIE2, rfc2965); + + /* write the cookie to the header table(s) provided */ + va_start(vp, maxage); + while ((t = va_arg(vp, apr_table_t *))) { + apr_table_addn(t, SET_COOKIE2, rfc2965); + } + va_end(vp); return APR_SUCCESS; @@ -99,15 +115,23 @@ AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, co * @param r The request * @param name The name of the cookie. */ -AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs) +AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, const char *attrs, ...) { + apr_table_t *t; + va_list vp; /* create RFC2109 compliant cookie */ - char *rfc2109 = apr_pstrcat(r->pool, name, "=;", + char *rfc2109 = apr_pstrcat(r->pool, name, "=;Max-Age=0;", attrs ? attrs : CLEAR_ATTRS, NULL); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX "user '%s' removed cookie: '%s'", r->user, rfc2109); - apr_table_addn(r->headers_out, SET_COOKIE, rfc2109); + + /* write the cookie to the header table(s) provided */ + va_start(vp, attrs); + while ((t = va_arg(vp, apr_table_t *))) { + apr_table_addn(t, SET_COOKIE, rfc2109); + } + va_end(vp); return APR_SUCCESS; @@ -119,15 +143,23 @@ AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name, con * @param r The request * @param name2 The name of the cookie. */ -AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2) +AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2, const char *attrs2, ...) { + apr_table_t *t; + va_list vp; /* create RFC2965 compliant cookie */ - char *rfc2965 = apr_pstrcat(r->pool, name2, "=;", + char *rfc2965 = apr_pstrcat(r->pool, name2, "=;Max-Age=0;", attrs2 ? attrs2 : CLEAR_ATTRS, NULL); ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX "user '%s' removed cookie2: '%s'", r->user, rfc2965); - apr_table_addn(r->headers_out, SET_COOKIE2, rfc2965); + + /* write the cookie to the header table(s) provided */ + va_start(vp, attrs2); + while ((t = va_arg(vp, apr_table_t *))) { + apr_table_addn(t, SET_COOKIE2, rfc2965); + } + va_end(vp); return APR_SUCCESS;