Add a MellonSecureCookie setting to enforce Secure + HttpOnly flags for

session cookies.



git-svn-id: https://modmellon.googlecode.com/svn/trunk@40 a716ebb1-153a-0410-b759-cfb97c6a1b53

4 files changed, 33 insertions, 1 deletions

diff --git a/README b/README
index c463150..573b5b3 100644
--- a/README
+++ b/README
@@ -161,6 +161,13 @@ MellonLockFile "/tmp/mellonLock"
         # Default: "cookie"
 	MellonVariable "cookie"
 
+        # MellonSecureCookie enforces the HttpOnly and secure flags
+        # for the mod_mellon cookie
+        # Default: Off
+        MellonSecureCookie On
+
+        # MellonSecureCookie enforces the HttpOnly and secure flags
+        # for the mod_mellon cookie
         # MellonUser selects which attribute we should use for the username.
         # The username is passed on to other apache modules and to the web
         # page the user visits. NAME_ID is an attribute which we set to
diff --git a/auth_mellon.h b/auth_mellon.h
index 13b6c30..f40d1d9 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -127,6 +127,7 @@ typedef struct am_dir_cfg_rec {
     am_decoder_t decoder;
 
     const char *varname;
+    int secure;
     apr_hash_t *require;
     apr_hash_t *envattr;
     const char *userattr;
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index f22b447..767663f 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -39,6 +39,10 @@ static const char *default_user_attribute = "NAME_ID";
  */
 static const char *default_cookie_name = "cookie";
 
+/* The default setting for cookie flags is to not enforce HttpOnly and secure
+ */
+static const int default_secure_cookie = 0; 
+
 /* This is the default IdP initiated login location
  * the MellonDefaultLoginPath configuration directive if you change this.
  */
@@ -352,6 +356,14 @@ const command_rec auth_mellon_commands[] = {
         " be 'mellon-cookie'."
         ),
     AP_INIT_TAKE1(
+        "MellonSecureCookie",
+        ap_set_flag_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, secure),
+        OR_AUTHCFG,
+        "Whether the cookie set by auth_mellon should have HttpOnly and"
+        " secure flags set. Default is off."
+        ),
+    AP_INIT_TAKE1(
         "MellonUser",
         ap_set_string_slot,
         (void *)APR_OFFSETOF(am_dir_cfg_rec, userattr),
@@ -480,6 +492,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     dir->decoder = am_decoder_default;
 
     dir->varname = default_cookie_name;
+    dir->secure = default_secure_cookie;
     dir->require   = apr_hash_make(p);
     dir->envattr   = apr_hash_make(p);
     dir->userattr  = default_user_attribute;
@@ -541,6 +554,12 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                         add_cfg->varname :
                         base_cfg->varname);
 
+    
+    new_cfg->secure = (add_cfg->secure != default_secure_cookie ?
+                        add_cfg->secure :
+                        base_cfg->secure);
+
+
     new_cfg->require = apr_hash_copy(p,
                                      (apr_hash_count(add_cfg->require) > 0) ?
                                      add_cfg->require :
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 4995a06..b7453ad 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -140,13 +140,18 @@ void am_cookie_set(request_rec *r, const char *id)
 {
     const char *name;
     char *cookie;
+    int secure_cookie;
 
     if (id == NULL)
         return;
 
+    secure_cookie = ((am_dir_cfg_rec *)am_get_dir_cfg(r))->secure;
     name = am_cookie_name(r);
 
-    cookie = apr_psprintf(r->pool, "%s=%s; Version=1; Path=/", name, id);
+    cookie = apr_psprintf(r->pool,
+                         "%s=%s; Version=1; Path=/; Domain=%s%s;",
+                         name, id, r->server->server_hostname,
+                         secure_cookie ? "; HttpOnly; secure" : "");
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                  "cookie_set: %s", cookie);