From 4992dd2d307aefd288379d2fefcf5a87b7631b75 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 31 May 2012 21:02:17 +0200 Subject: [PATCH] MINOR: http: add support for "httponly" and "secure" cookie attributes httponly This option tells haproxy to add an "HttpOnly" cookie attribute when a cookie is inserted. This attribute is used so that a user agent doesn't share the cookie with non-HTTP components. Please check RFC6265 for more information on this attribute. secure This option tells haproxy to add a "Secure" cookie attribute when a cookie is inserted. This attribute is used so that a user agent never emits this cookie over non-secure channels, which means that a cookie learned with this flag will be presented only over SSL/TLS connections. Please check RFC6265 for more information on this attribute. --- doc/configuration.txt | 16 ++++++++++++++-- include/types/proxy.h | 2 ++ src/cfgparse.c | 6 ++++++ src/proto_http.c | 6 ++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 1253357b0..b7ca28d09 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1891,8 +1891,8 @@ contimeout (deprecated) cookie [ rewrite | insert | prefix ] [ indirect ] [ nocache ] - [ postonly ] [ preserve ] [ domain ]* - [ maxidle ] [ maxlife ] + [ postonly ] [ preserve ] [ httponly ] [ secure ] + [ domain ]* [ maxidle ] [ maxlife ] Enable cookie-based persistence in a backend. May be used in sections : defaults | frontend | listen | backend yes | no | yes | yes @@ -1990,6 +1990,18 @@ cookie [ rewrite | insert | prefix ] [ indirect ] [ nocache ] shutdown because users will definitely leave the server after they logout. + httponly This option tells haproxy to add an "HttpOnly" cookie attribute + when a cookie is inserted. This attribute is used so that a + user agent doesn't share the cookie with non-HTTP components. + Please check RFC6265 for more information on this attribute. + + secure This option tells haproxy to add a "Secure" cookie attribute when + a cookie is inserted. This attribute is used so that a user agent + never emits this cookie over non-secure channels, which means + that a cookie learned with this flag will be presented only over + SSL/TLS connections. Please check RFC6265 for more information on + this attribute. + domain This option allows to specify the domain at which a cookie is inserted. It requires exactly one parameter: a valid domain name. If the domain begins with a dot, the browser is allowed to diff --git a/include/types/proxy.h b/include/types/proxy.h index 1da0f9ddb..53dd96d7b 100644 --- a/include/types/proxy.h +++ b/include/types/proxy.h @@ -169,6 +169,8 @@ enum { #define PR_CK_NOC 0x00000010 /* add a 'Cache-control' header with the cookie */ #define PR_CK_POST 0x00000020 /* don't insert cookies for requests other than a POST */ #define PR_CK_PSV 0x00000040 /* cookie ... preserve */ +#define PR_CK_HTTPONLY 0x00000080 /* emit the "HttpOnly" attribute */ +#define PR_CK_SECURE 0x00000100 /* emit the "Secure" attribute */ /* bits for sticking rules */ #define STK_IS_MATCH 0x00000001 /* match on request fetch */ diff --git a/src/cfgparse.c b/src/cfgparse.c index a7aade5aa..5f8cb9675 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2161,6 +2161,12 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) else if (!strcmp(args[cur_arg], "prefix")) { curproxy->ck_opts |= PR_CK_PFX; } + else if (!strcmp(args[cur_arg], "httponly")) { + curproxy->ck_opts |= PR_CK_HTTPONLY; + } + else if (!strcmp(args[cur_arg], "secure")) { + curproxy->ck_opts |= PR_CK_SECURE; + } else if (!strcmp(args[cur_arg], "domain")) { if (!*args[cur_arg + 1]) { Alert("parsing [%s:%d]: '%s' expects as argument.\n", diff --git a/src/proto_http.c b/src/proto_http.c index 02537ff40..7eeb4f64a 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -5085,6 +5085,12 @@ int http_process_res_common(struct session *t, struct buffer *rep, int an_bit, s if (t->be->cookie_domain) len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain); + if (t->be->ck_opts & PR_CK_HTTPONLY) + len += sprintf(trash+len, "; HttpOnly"); + + if (t->be->ck_opts & PR_CK_SECURE) + len += sprintf(trash+len, "; Secure"); + if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0)) goto return_bad_resp;