diff options
author | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2009-03-02 13:56:35 +0000 |
---|---|---|
committer | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2009-03-02 13:56:35 +0000 |
commit | d8890ecb44860a4a8a4057d262bdd1f3c790ee99 (patch) | |
tree | 932ab3121569bc155cd5312fcd7083ec79066dc4 | |
parent | 7a1a61171ff594efd9da0884f483917f0e7750ea (diff) | |
download | mod_auth_mellon-d8890ecb44860a4a8a4057d262bdd1f3c790ee99.tar.gz mod_auth_mellon-d8890ecb44860a4a8a4057d262bdd1f3c790ee99.tar.xz mod_auth_mellon-d8890ecb44860a4a8a4057d262bdd1f3c790ee99.zip |
Add a MellonSecureCookie setting to enforce Secure + HttpOnly flags for
session cookies.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@40 a716ebb1-153a-0410-b759-cfb97c6a1b53
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | auth_mellon.h | 1 | ||||
-rw-r--r-- | auth_mellon_config.c | 19 | ||||
-rw-r--r-- | auth_mellon_cookie.c | 7 |
4 files changed, 33 insertions, 1 deletions
@@ -161,6 +161,13 @@ MellonLockFile "/tmp/mellonLock" # Default: "cookie" MellonVariable "cookie" + # MellonSecureCookie enforces the HttpOnly and secure flags + # for the mod_mellon cookie + # Default: Off + MellonSecureCookie On + + # MellonSecureCookie enforces the HttpOnly and secure flags + # for the mod_mellon cookie # MellonUser selects which attribute we should use for the username. # The username is passed on to other apache modules and to the web # page the user visits. NAME_ID is an attribute which we set to diff --git a/auth_mellon.h b/auth_mellon.h index 13b6c30..f40d1d9 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -127,6 +127,7 @@ typedef struct am_dir_cfg_rec { am_decoder_t decoder; const char *varname; + int secure; apr_hash_t *require; apr_hash_t *envattr; const char *userattr; diff --git a/auth_mellon_config.c b/auth_mellon_config.c index f22b447..767663f 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -39,6 +39,10 @@ static const char *default_user_attribute = "NAME_ID"; */ static const char *default_cookie_name = "cookie"; +/* The default setting for cookie flags is to not enforce HttpOnly and secure + */ +static const int default_secure_cookie = 0; + /* This is the default IdP initiated login location * the MellonDefaultLoginPath configuration directive if you change this. */ @@ -352,6 +356,14 @@ const command_rec auth_mellon_commands[] = { " be 'mellon-cookie'." ), AP_INIT_TAKE1( + "MellonSecureCookie", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, secure), + OR_AUTHCFG, + "Whether the cookie set by auth_mellon should have HttpOnly and" + " secure flags set. Default is off." + ), + AP_INIT_TAKE1( "MellonUser", ap_set_string_slot, (void *)APR_OFFSETOF(am_dir_cfg_rec, userattr), @@ -480,6 +492,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->decoder = am_decoder_default; dir->varname = default_cookie_name; + dir->secure = default_secure_cookie; dir->require = apr_hash_make(p); dir->envattr = apr_hash_make(p); dir->userattr = default_user_attribute; @@ -541,6 +554,12 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) add_cfg->varname : base_cfg->varname); + + new_cfg->secure = (add_cfg->secure != default_secure_cookie ? + add_cfg->secure : + base_cfg->secure); + + new_cfg->require = apr_hash_copy(p, (apr_hash_count(add_cfg->require) > 0) ? add_cfg->require : diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c index 4995a06..b7453ad 100644 --- a/auth_mellon_cookie.c +++ b/auth_mellon_cookie.c @@ -140,13 +140,18 @@ void am_cookie_set(request_rec *r, const char *id) { const char *name; char *cookie; + int secure_cookie; if (id == NULL) return; + secure_cookie = ((am_dir_cfg_rec *)am_get_dir_cfg(r))->secure; name = am_cookie_name(r); - cookie = apr_psprintf(r->pool, "%s=%s; Version=1; Path=/", name, id); + cookie = apr_psprintf(r->pool, + "%s=%s; Version=1; Path=/; Domain=%s%s;", + name, id, r->server->server_hostname, + secure_cookie ? "; HttpOnly; secure" : ""); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "cookie_set: %s", cookie); |