From 93a75ba455053a96416ad2bd922c8072d84f1f8e Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Sat, 12 Apr 2008 08:44:36 +0000 Subject: [PATCH] * Allow Cookie option to set secure and HttpOnly flags PR: 44799 Submitted by: Christian Wenz Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@647395 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/manual/mod/mod_rewrite.xml | 10 +++++++--- modules/mappers/mod_rewrite.c | 6 ++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index ddd72a9095..101afc7de9 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags. + PR 44799 [Christian Wenz ] + *) Move the KeptBodySize directive, kept_body filters and the ap_parse_request_body function out of the http module and into a new module called mod_request, reducing the size of the core. diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index c68253f4a5..eb9af09601 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -1251,14 +1251,18 @@ cannot use $N in the substitution string! when you let an external redirect happen (where the ``.www'' part should not occur!). -
'cookie|CO=NAME:VAL:domain[:lifetime[:path]]' +
'cookie|CO=NAME:VAL:domain[:lifetime[:path[:secure[:httponly]]]]' (set cookie)
This sets a cookie in the client's browser. The cookie's name is specified by NAME and the value is VAL. The domain field is the domain of the cookie, such as '.apache.org', the optional lifetime - is the lifetime of the cookie in minutes, and the optional - path is the path of the cookie
+ is the lifetime of the cookie in minutes, and the optional + path is the path of the cookie. If secure + is set to 'true' or '1', the cookie is only transmitted via secured + connections. If httponly is set to any string, the + HttpOnly flag is used, making the cookie not accessible + to JavaScript code on browsers that support this feature.
'env|E=VAR:VAL' diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index c490b5accd..4efd7cfa88 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2444,6 +2444,8 @@ static void add_cookie(request_rec *r, char *s) char *domain; char *expires; char *path; + char *secure; + char *httponly; char *tok_cntx; char *cookie; @@ -2468,6 +2470,8 @@ static void add_cookie(request_rec *r, char *s) expires = apr_strtok(NULL, ":", &tok_cntx); path = expires ? apr_strtok(NULL, ":", &tok_cntx) : NULL; + secure = path ? apr_strtok(NULL, ":", &tok_cntx) : NULL; + httponly = secure ? apr_strtok(NULL, ":", &tok_cntx) : NULL; if (expires) { apr_time_exp_t tms; @@ -2488,6 +2492,8 @@ static void add_cookie(request_rec *r, char *s) "; domain=", domain, expires ? "; expires=" : NULL, expires ? exp_time : NULL, + (strcasecmp(secure, "true") == 0 || strcasecmp(secure, "1") == 0) ? "; secure" : NULL, + httponly ? "; HttpOnly" : NULL, NULL); apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie); -- 2.40.0