Skip to content
Permalink
Browse files

Teach pragma set_httponly to apply only to certain cookies

E.g. for the default session cookie only:

Pragma set_httponly=MV_SESSION_ID

The change is backward-compatible, so this still applies to all cookies as before:

Pragma set_httponly
  • Loading branch information...
jonjensen committed Jan 9, 2019
1 parent d8e443d commit acad7bb10241039df6777468f4938667914a06cf
Showing with 28 additions and 3 deletions.
  1. +14 −0 doc/WHATSNEW-5.12
  2. +14 −3 lib/Vend/Server.pm
@@ -70,6 +70,20 @@ Core
* Refactor cookie-setting routine to avoid double ; and extra string copying
and use canonical capitalization.

* Teach pragma set_httponly to apply only to certain cookies.

E.g. for the default session cookie only:

Pragma set_httponly=MV_SESSION_ID

Or for that plus another arbitrary cookie "cart":

Pragma set_httponly=MV_SESSION_ID,cart

The old behavior of setting HttpOnly for all cookies still works as before, e.g.:

Pragma set_httponly

* Add CounterDir configuration to allow counters to be defined by default in
some place different than VendRoot.

@@ -1,6 +1,6 @@
# Vend::Server - Listen for Interchange CGI requests as a background server
#
# Copyright (C) 2002-2018 Interchange Development Group
# Copyright (C) 2002-2019 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
#
# This program was originally based on Vend 0.2 and 0.3
@@ -24,7 +24,7 @@
package Vend::Server;

use vars qw($VERSION $Has_JSON $RUNDIR);
$VERSION = '2.109';
$VERSION = '2.110';

use Cwd;
use POSIX qw(setsid strftime);
@@ -585,6 +585,17 @@ sub create_cookie {
$sub->();
}

my $all_httponly;
my %httponly;
if (my $p = $::Pragma->{set_httponly}) {
if ($p eq '1') {
$all_httponly = 1;
}
else {
$httponly{$_} = undef for split /\s*,\s*/, $p;
}
}

my @jar;
push @jar, [
$::Instance->{CookieName} || 'MV_SESSION_ID',
@@ -624,7 +635,7 @@ sub create_cookie {
push @pieces, $expstring;
}
push @pieces, 'Secure' if $secure;
push @pieces, 'HttpOnly' if $::Pragma->{set_httponly};
push @pieces, 'HttpOnly' if $all_httponly or exists $httponly{$name};
my $header = join('; ', @pieces);
#::logDebug("create_cookie made header: $header");
push @out, $header;

0 comments on commit acad7bb

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.