You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2020/03/06 01:12:07 UTC
svn commit: r1874863 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
docs/manual/mod/mod_usertrack.xml modules/metadata/mod_usertrack.c
Author: covener
Date: Fri Mar 6 01:12:07 2020
New Revision: 1874863
URL: http://svn.apache.org/viewvc?rev=1874863&view=rev
Log:
Merge r1874389, r1874480, r1874601 from trunk:
PR64077: samesite/httponly/secure flags for usertrack
Submitted By: Prashant Keshvani <prashant2400 gmail.com>, Eric Covener
Committed By: covener
* Whitespace fix
Remove duplicated "CookieTracking" directive in 'command_rec'.
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_usertrack.xml
httpd/httpd/branches/2.4.x/modules/metadata/mod_usertrack.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1874389,1874480,1874601
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1874863&r1=1874862&r2=1874863&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Mar 6 01:12:07 2020
@@ -1,10 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.42
- *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
- AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
-
- *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
+ *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
+ to allow customization of the usertrack cookie. PR64077.
+ [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
+
+ *) mpm_event: avoid possible KeepAlveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
*) Add a config layout for OpenWRT. [Graham Leggett]
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_usertrack.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_usertrack.xml?rev=1874863&r1=1874862&r2=1874863&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_usertrack.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_usertrack.xml Fri Mar 6 01:12:07 2020
@@ -222,4 +222,71 @@ CustomLog "logs/clickstream.log" usertra
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>CookieSecure</name>
+<description>Adds the 'Secure' attribute to the cookie</description>
+<syntax>CookieSecure on|off</syntax>
+<default>CookieSecure off</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'ON', the 'Secure' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to only
+ transmit the cookie over HTTPS.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieHTTPOnly</name>
+<description>Adds the 'HTTPOnly' attribute to the cookie</description>
+<syntax>CookieHTTPOnlyon|off</syntax>
+<default>CookieHTTPOnlyoff</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'ON', the 'HTTPOnly' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to block javascript
+ from reading the value of the cookie</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieSameSite</name>
+<description>Adds the 'SameSite' attribute to the cookie</description>
+<syntax>CookieSameSite None|Lax|Strict</syntax>
+<default>unset</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+ <p>When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute
+ is added to this modules tracking cookie with the corresponding value.
+ This attribute instructs browser on how to treat the cookie when it is
+ requested in a cross-site context. </p>
+
+ <note type="Warning">
+ <p>A value of 'None' sets 'SameSite=None', which is the most liberal setting. To
+ omit this attribute, omit the directive entirely.</p>
+ </note>
+
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/branches/2.4.x/modules/metadata/mod_usertrack.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/metadata/mod_usertrack.c?rev=1874863&r1=1874862&r2=1874863&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/metadata/mod_usertrack.c (original)
+++ httpd/httpd/branches/2.4.x/modules/metadata/mod_usertrack.c Fri Mar 6 01:12:07 2020
@@ -86,6 +86,9 @@ typedef struct {
const char *cookie_domain;
char *regexp_string; /* used to compile regexp; save for debugging */
ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */
+ int is_secure;
+ int is_httponly;
+ const char *samesite;
} cookie_dir_rec;
/* Make Cookie: Now we have to generate something that is going to be
@@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
: ""),
NULL);
}
+ if (dcfg->samesite != NULL) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
+ dcfg->samesite,
+ NULL);
+ }
+ if (dcfg->is_secure) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
+ NULL);
+ }
+ if (dcfg->is_httponly) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
+ NULL);
+ }
+
+
apr_table_addn(r->err_headers_out,
(dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
@@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t
dcfg->cookie_domain = NULL;
dcfg->style = CT_UNSET;
dcfg->enabled = 0;
+ /* calloc'ed to disabled: samesite, is_secure, is_httponly */
/* In case the user does not use the CookieName directive,
* we need to compile the regexp for the default cookie name. */
@@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_
return NULL;
}
+/*
+ * SameSite enabled disabled
+ */
+
+static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
+ const char *name)
+{
+ cookie_dir_rec *dcfg;
+
+ dcfg = (cookie_dir_rec *) mconfig;
+
+ if (strcasecmp(name, "strict") == 0) {
+ dcfg->samesite = "SameSite=Strict";
+ } else if (strcasecmp(name, "lax") == 0) {
+ dcfg->samesite = "SameSite=Lax";
+ } else if (strcasecmp(name, "none") == 0) {
+ dcfg->samesite = "SameSite=None";
+ } else {
+ return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
+ }
+
+
+ return NULL;
+}
+
static const command_rec cookie_log_cmds[] = {
AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
"an expiry date code"),
@@ -440,6 +484,15 @@ static const command_rec cookie_log_cmds
"whether or not to enable cookies"),
AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
"name of the tracking cookie"),
+ AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
+ "SameSite setting"),
+ AP_INIT_FLAG("CookieSecure", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
+ "is cookie secure"),
+ AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
+ "is cookie http only"),
+
{NULL}
};