You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2020/02/22 17:10:10 UTC
svn commit: r1874389 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_usertrack.xml modules/metadata/mod_usertrack.c
Author: covener
Date: Sat Feb 22 17:10:10 2020
New Revision: 1874389
URL: http://svn.apache.org/viewvc?rev=1874389&view=rev
Log:
PR64077: samesite/httponly/secure flags for usertrack
Submitted By: Prashant Keshvani <prashant2400 gmail.com>, Eric Covener
Committed By: covener
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml
httpd/httpd/trunk/modules/metadata/mod_usertrack.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874389&r1=1874388&r2=1874389&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Feb 22 17:10:10 2020
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+
+ *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
+ to allow customization of the usertrack cookie. PR64077.
+ [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
+
*) mpm_event: avoid possible KeepAlveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml?rev=1874389&r1=1874388&r2=1874389&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml Sat Feb 22 17:10:10 2020
@@ -222,4 +222,71 @@ CustomLog "logs/clickstream.log" usertra
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>CookieSecure</name>
+<description>Adds the 'Secure' attribute to the cookie</description>
+<syntax>CookieSecure on|off</syntax>
+<default>CookieSecure off</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'ON', the 'Secure' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to only
+ transmit the cookie over HTTPS.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieHTTPOnly</name>
+<description>Adds the 'HTTPOnly' attribute to the cookie</description>
+<syntax>CookieHTTPOnlyon|off</syntax>
+<default>CookieHTTPOnlyoff</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'ON', the 'HTTPOnly' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to block javascript
+ from reading the value of the cookie</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieSameSite</name>
+<description>Adds the 'SameSite' attribute to the cookie</description>
+<syntax>CookieSameSite None|Lax|Strict</syntax>
+<default>unset</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute
+ is added to this modules tracking cookie with the corresponding value.
+ This attribute instructs browser on how to treat the cookie when it is
+ requested in a cross-site context. </p>
+
+ <note type="Warning">
+ <p>A value of 'None' sets 'SameSite=None', which is the most liberal setting. To
+ omit this attribute, omit the directive entirely.</p>
+ </note>
+
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/trunk/modules/metadata/mod_usertrack.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_usertrack.c?rev=1874389&r1=1874388&r2=1874389&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/metadata/mod_usertrack.c (original)
+++ httpd/httpd/trunk/modules/metadata/mod_usertrack.c Sat Feb 22 17:10:10 2020
@@ -86,6 +86,9 @@ typedef struct {
const char *cookie_domain;
char *regexp_string; /* used to compile regexp; save for debugging */
ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */
+ int is_secure;
+ int is_httponly;
+ const char *samesite;
} cookie_dir_rec;
/* Make Cookie: Now we have to generate something that is going to be
@@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
: ""),
NULL);
}
+ if (dcfg->samesite != NULL) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
+ dcfg->samesite,
+ NULL);
+ }
+ if (dcfg->is_secure) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
+ NULL);
+ }
+ if (dcfg->is_httponly) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
+ NULL);
+ }
+
+
apr_table_addn(r->err_headers_out,
(dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
@@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t
dcfg->cookie_domain = NULL;
dcfg->style = CT_UNSET;
dcfg->enabled = 0;
+ /* calloc'ed to disabled: samesite, is_secure, is_httponly */
/* In case the user does not use the CookieName directive,
* we need to compile the regexp for the default cookie name. */
@@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_
return NULL;
}
+/*
+ * SameSite enabled disabled
+ */
+
+static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
+ const char *name)
+{
+ cookie_dir_rec *dcfg;
+
+ dcfg = (cookie_dir_rec *) mconfig;
+
+ if (strcasecmp(name, "strict") == 0) {
+ dcfg->samesite = "SameSite=Strict";
+ } else if (strcasecmp(name, "lax") == 0) {
+ dcfg->samesite = "SameSite=Lax";
+ } else if (strcasecmp(name, "none") == 0) {
+ dcfg->samesite = "SameSite=None";
+ } else {
+ return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
+ }
+
+
+ return NULL;
+}
+
static const command_rec cookie_log_cmds[] = {
AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
"an expiry date code"),
@@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds
"whether or not to enable cookies"),
AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
"name of the tracking cookie"),
+ AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
+ "whether or not to enable cookies"),
+ AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
+ "SameSite setting"),
+ AP_INIT_FLAG("CookieSecure", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
+ "is cookie secure"),
+ AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
+ "is cookie http only"),
+
{NULL}
};
Re: svn commit: r1874389 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_usertrack.xml modules/metadata/mod_usertrack.c
Posted by Eric Covener <co...@gmail.com>.
I tagged it "beginner" at https://bz.apache.org/bugzilla/show_bug.cgi?id=64175
On Tue, Feb 25, 2020 at 5:24 AM Yann Ylavic <yl...@gmail.com> wrote:
>
> On Tue, Feb 25, 2020 at 9:33 AM Ruediger Pluem <rp...@apache.org> wrote:
> >
> > I guess this could be more effective memory and possibly CPU wise if we would collect all the possible
> > strings including the one for domain in the already existing code above in an apr_array and do an
> > apr_array_pstrcat to build the final cookie value once all components are sorted out.
>
> FWIW, I find the ap_varbuf interface quite handy and efficient.
>
> Regards,
> Yann.
--
Eric Covener
covener@gmail.com
Re: svn commit: r1874389 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_usertrack.xml modules/metadata/mod_usertrack.c
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, Feb 25, 2020 at 9:33 AM Ruediger Pluem <rp...@apache.org> wrote:
>
> I guess this could be more effective memory and possibly CPU wise if we would collect all the possible
> strings including the one for domain in the already existing code above in an apr_array and do an
> apr_array_pstrcat to build the final cookie value once all components are sorted out.
FWIW, I find the ap_varbuf interface quite handy and efficient.
Regards,
Yann.
Re: svn commit: r1874389 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_usertrack.xml modules/metadata/mod_usertrack.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 02/22/2020 06:10 PM, covener@apache.org wrote:
> Author: covener
> Date: Sat Feb 22 17:10:10 2020
> New Revision: 1874389
>
> URL: http://svn.apache.org/viewvc?rev=1874389&view=rev
> Log:
> PR64077: samesite/httponly/secure flags for usertrack
>
> Submitted By: Prashant Keshvani <prashant2400 gmail.com>, Eric Covener
> Committed By: covener
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_usertrack.xml
> httpd/httpd/trunk/modules/metadata/mod_usertrack.c
>
>
> Modified: httpd/httpd/trunk/modules/metadata/mod_usertrack.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_usertrack.c?rev=1874389&r1=1874388&r2=1874389&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/metadata/mod_usertrack.c (original)
> +++ httpd/httpd/trunk/modules/metadata/mod_usertrack.c Sat Feb 22 17:10:10 2020
> @@ -86,6 +86,9 @@ typedef struct {
> const char *cookie_domain;
> char *regexp_string; /* used to compile regexp; save for debugging */
> ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */
> + int is_secure;
> + int is_httponly;
> + const char *samesite;
> } cookie_dir_rec;
>
> /* Make Cookie: Now we have to generate something that is going to be
> @@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
> : ""),
> NULL);
> }
> + if (dcfg->samesite != NULL) {
> + new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
> + dcfg->samesite,
> + NULL);
> + }
> + if (dcfg->is_secure) {
> + new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
> + NULL);
> + }
> + if (dcfg->is_httponly) {
> + new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
> + NULL);
> + }
> +
> +
Just as a breadcrumb as I don't have time to fix it myself right now:
I guess this could be more effective memory and possibly CPU wise if we would collect all the possible
strings including the one for domain in the already existing code above in an apr_array and do an
apr_array_pstrcat to build the final cookie value once all components are sorted out.
Regards
RĂ¼diger