You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2011/06/02 12:47:41 UTC
svn commit: r1130491 - /couchdb/trunk/src/couchdb/couch_httpd_auth.erl
Author: rnewson
Date: Thu Jun 2 10:47:41 2011
New Revision: 1130491
URL: http://svn.apache.org/viewvc?rev=1130491&view=rev
Log:
set HttpOnly on auth cookies on SSL.
Modified:
couchdb/trunk/src/couchdb/couch_httpd_auth.erl
Modified: couchdb/trunk/src/couchdb/couch_httpd_auth.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_auth.erl?rev=1130491&r1=1130490&r2=1130491&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd_auth.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd_auth.erl Thu Jun 2 10:47:41 2011
@@ -232,7 +232,7 @@ cookie_auth_cookie(Req, User, Secret, Ti
Hash = crypto:sha_mac(Secret, SessionData),
mochiweb_cookies:cookie("AuthSession",
couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)),
- [{path, "/"}, cookie_scheme(Req)]).
+ [{path, "/"}] ++ cookie_scheme(Req)).
hash_password(Password, Salt) ->
?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
@@ -293,7 +293,7 @@ handle_session_req(#httpd{method='POST',
]});
_Else ->
% clear the session
- Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
+ Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}] ++ cookie_scheme(Req)),
send_json(Req, 401, [Cookie], {[{error, <<"unauthorized">>},{reason, <<"Name or password is incorrect.">>}]})
end;
% get user info
@@ -323,7 +323,7 @@ handle_session_req(#httpd{method='GET',
end;
% logout by deleting the session
handle_session_req(#httpd{method='DELETE'}=Req) ->
- Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
+ Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}] ++ cookie_scheme(Req)),
{Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
nil ->
{200, [Cookie]};
@@ -347,7 +347,8 @@ make_cookie_time() ->
NowMS * 1000000 + NowS.
cookie_scheme(#httpd{mochi_req=MochiReq}) ->
+ [{http_only, true}] ++
case MochiReq:get(scheme) of
- http -> {http_only, true};
- https -> {secure, true}
+ http -> [];
+ https -> [{secure, true}]
end.