Package: libapache-request-perl
Version: 1.33-1
Severity: wishlist
As best I can tell Apache::Cookie has no direct way to add the
HttpOnly flag to the cookies it sets. Although browser support for this
feature is still spotty, it is a useful measure to limit the impact of
cross-site scripting attacks in supported browsers.
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
provides some info on the intended syntax and support.
Thanks,
Robert Stone
diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.c
libapache-request-perl-1.33/c/apache_cookie.c
--- libapache-request-perl-1.33.old/c/apache_cookie.c 2004-11-26
15:02:03.000000000 -0800
+++ libapache-request-perl-1.33/c/apache_cookie.c 2007-02-21
15:42:01.924134177 -0800
@@ -59,6 +59,14 @@
}
retval = c->secure ? "on" : "";
break;
+ case 'h':
+ if(val) {
+ c->httponly =
+ !strcaseEQ(val, "off") &&
+ !strcaseEQ(val, "0");
+ }
+ retval = c->httponly ? "on" : "";
+ break;
default:
ap_log_rerror(APC_ERROR,
"[libapreq] unknown cookie pair: `%s' => `%s'", key, val);
@@ -78,6 +86,7 @@
c->r = r;
c->values = ap_make_array(r->pool, 1, sizeof(char *));
c->secure = 0;
+ c->httponly = 0;
c->name = c->expires = NULL;
c->domain = NULL;
@@ -201,6 +210,9 @@
if (c->secure) {
cookie_push_arr(values, "secure");
}
+ if(c->httponly) {
+ cookie_push_arr(values, "HttpOnly");
+ }
cookie = ap_pstrcat(p, escape_url(p, c->name), "=", NULL);
for (i=0; i<c->values->nelts; i++) {
diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.h
libapache-request-perl-1.33/c/apache_cookie.h
--- libapache-request-perl-1.33.old/c/apache_cookie.h 2004-11-26
15:02:03.000000000 -0800
+++ libapache-request-perl-1.33/c/apache_cookie.h 2007-02-21
15:45:47.076077858 -0800
@@ -29,6 +29,7 @@
char *expires;
char *path;
int secure;
+ int httponly;
} ApacheCookie;
#ifdef __cplusplus
diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.pm
libapache-request-perl-1.33/Cookie/Cookie.pm
--- libapache-request-perl-1.33.old/Cookie/Cookie.pm 2004-11-26
15:02:04.000000000 -0800
+++ libapache-request-perl-1.33/Cookie/Cookie.pm 2007-02-21
17:27:45.176540603 -0800
@@ -146,6 +146,13 @@
my $secure = $cookie->secure;
$cookie->secure(1);
+=head2 httponly
+
+Get or set the HttpOnly flag for the cookie:
+
+ my $HttpOnly = $cookie->httponly;
+ $cookie->httponly(1);
+
=back
=head1 CAVEATS
diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.xs
libapache-request-perl-1.33/Cookie/Cookie.xs
--- libapache-request-perl-1.33.old/Cookie/Cookie.xs 2004-12-06
06:49:46.000000000 -0800
+++ libapache-request-perl-1.33/Cookie/Cookie.xs 2007-02-21
17:28:25.687726275 -0800
@@ -130,6 +130,9 @@
#define ApacheCookie_secure(c, val) \
ApacheCookie_attr(c, "secure", val)
+#define ApacheCookie_httponly(c, val) \
+ApacheCookie_attr(c, "httponly", val)
+
MODULE = Apache::Cookie PACKAGE = Apache::Cookie PREFIX = ApacheCookie_
PROTOTYPES: DISABLE
@@ -297,6 +300,11 @@
Apache::Cookie c
char *val
+char *
+ApacheCookie_httponly(c, val=NULL)
+ Apache::Cookie c
+ char *val
+
void
ApacheCookie_bake(c)
Apache::Cookie c
diff -Naur libapache-request-perl-1.33.old/libapreq.pod
libapache-request-perl-1.33/libapreq.pod
--- libapache-request-perl-1.33.old/libapreq.pod 2004-11-26
15:02:04.000000000 -0800
+++ libapache-request-perl-1.33/libapreq.pod 2007-02-21 17:26:16.902210826
-0800
@@ -243,6 +243,12 @@
of I<On> or I<Off>.
The default is I<Off>.
+=item -httponly
+
+Sets the I<HttpOnly> field to true or false using a given string value
+of I<On> or I<Off>.
+The default is I<Off>.
+
=back
Example:
