You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2008/04/12 10:44:49 UTC
svn commit: r647395 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c
Author: rpluem
Date: Sat Apr 12 01:44:36 2008
New Revision: 647395
URL: http://svn.apache.org/viewvc?rev=647395&view=rev
Log:
* Allow Cookie option to set secure and HttpOnly flags
PR: 44799
Submitted by: Christian Wenz <christian wenz.org>
Reviewed by: rpluem
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
httpd/httpd/trunk/modules/mappers/mod_rewrite.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=647395&r1=647394&r2=647395&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Apr 12 01:44:36 2008
@@ -2,6 +2,9 @@
Changes with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
+ *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
+ PR 44799 [Christian Wenz <christian wenz.org>]
+
*) Move the KeptBodySize directive, kept_body filters and the
ap_parse_request_body function out of the http module and into a
new module called mod_request, reducing the size of the core.
Modified: httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml?rev=647395&r1=647394&r2=647395&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml Sat Apr 12 01:44:36 2008
@@ -1251,14 +1251,18 @@
when you let an external redirect happen (where the
``<code>.www</code>'' part should not occur!).</dd>
- <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>]]'
+ <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]]'
(set cookie)</dt><dd>
This sets a cookie in the client's browser. The cookie's name
is specified by <em>NAME</em> and the value is
<em>VAL</em>. The <em>domain</em> field is the domain of the
cookie, such as '.apache.org', the optional <em>lifetime</em>
- is the lifetime of the cookie in minutes, and the optional
- <em>path</em> is the path of the cookie</dd>
+ is the lifetime of the cookie in minutes, and the optional
+ <em>path</em> is the path of the cookie. If <em>secure</em>
+ is set to 'true' or '1', the cookie is only transmitted via secured
+ connections. If <em>httponly</em> is set to any string, the
+ <code>HttpOnly</code> flag is used, making the cookie not accessible
+ to JavaScript code on browsers that support this feature.</dd>
<dt>
'<code>env|E=</code><em>VAR</em>:<em>VAL</em>'
Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=647395&r1=647394&r2=647395&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Sat Apr 12 01:44:36 2008
@@ -2444,6 +2444,8 @@
char *domain;
char *expires;
char *path;
+ char *secure;
+ char *httponly;
char *tok_cntx;
char *cookie;
@@ -2468,6 +2470,8 @@
expires = apr_strtok(NULL, ":", &tok_cntx);
path = expires ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
+ secure = path ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
+ httponly = secure ? apr_strtok(NULL, ":", &tok_cntx) : NULL;
if (expires) {
apr_time_exp_t tms;
@@ -2488,6 +2492,8 @@
"; domain=", domain,
expires ? "; expires=" : NULL,
expires ? exp_time : NULL,
+ (strcasecmp(secure, "true") == 0 || strcasecmp(secure, "1") == 0) ? "; secure" : NULL,
+ httponly ? "; HttpOnly" : NULL,
NULL);
apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie);