mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: http: add support for "httponly" and "secure" cookie attributes

Browse Source 
httponly  This option tells haproxy to add an "HttpOnly" cookie attribute
             when a cookie is inserted. This attribute is used so that a
             user agent doesn't share the cookie with non-HTTP components.
             Please check RFC6265 for more information on this attribute.

   secure    This option tells haproxy to add a "Secure" cookie attribute when
             a cookie is inserted. This attribute is used so that a user agent
             never emits this cookie over non-secure channels, which means
             that a cookie learned with this flag will be presented only over
             SSL/TLS connections. Please check RFC6265 for more information on
             this attribute.
This commit is contained in:
Willy Tarreau 2012-05-31 21:02:17 +02:00
parent b5ba17e3a9
commit 4992dd2d30
4 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/configuration.txt
View File

@ -1891,8 +1891,8 @@ contimeout <timeout> (deprecated)
cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
[ postonly ] [ preserve ] [ domain <domain> ]* [ postonly ] [ preserve ] [ httponly ] [ secure ]
[ maxidle <idle> ] [ maxlife <life> ] [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Enable cookie-based persistence in a backend. Enable cookie-based persistence in a backend.
May be used in sections : defaults | frontend | listen | backend May be used in sections : defaults | frontend | listen | backend
yes | no | yes | yes yes | no | yes | yes
@ -1990,6 +1990,18 @@ cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
shutdown because users will definitely leave the server after shutdown because users will definitely leave the server after
they logout. they logout.
httponly This option tells haproxy to add an "HttpOnly" cookie attribute
when a cookie is inserted. This attribute is used so that a
user agent doesn't share the cookie with non-HTTP components.
Please check RFC6265 for more information on this attribute.
secure This option tells haproxy to add a "Secure" cookie attribute when
a cookie is inserted. This attribute is used so that a user agent
never emits this cookie over non-secure channels, which means
that a cookie learned with this flag will be presented only over
SSL/TLS connections. Please check RFC6265 for more information on
this attribute.
domain This option allows to specify the domain at which a cookie is domain This option allows to specify the domain at which a cookie is
inserted. It requires exactly one parameter: a valid domain inserted. It requires exactly one parameter: a valid domain
name. If the domain begins with a dot, the browser is allowed to name. If the domain begins with a dot, the browser is allowed to

2
include/types/proxy.h
View File

@ -169,6 +169,8 @@ enum {
#define PR_CK_NOC 0x00000010 /* add a 'Cache-control' header with the cookie */ #define PR_CK_NOC 0x00000010 /* add a 'Cache-control' header with the cookie */
#define PR_CK_POST 0x00000020 /* don't insert cookies for requests other than a POST */ #define PR_CK_POST 0x00000020 /* don't insert cookies for requests other than a POST */
#define PR_CK_PSV 0x00000040 /* cookie ... preserve */ #define PR_CK_PSV 0x00000040 /* cookie ... preserve */
#define PR_CK_HTTPONLY 0x00000080 /* emit the "HttpOnly" attribute */
#define PR_CK_SECURE 0x00000100 /* emit the "Secure" attribute */
/* bits for sticking rules */ /* bits for sticking rules */
#define STK_IS_MATCH 0x00000001 /* match on request fetch */ #define STK_IS_MATCH 0x00000001 /* match on request fetch */

6
src/cfgparse.c
View File

@ -2161,6 +2161,12 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
else if (!strcmp(args[cur_arg], "prefix")) { else if (!strcmp(args[cur_arg], "prefix")) {
curproxy->ck_opts |= PR_CK_PFX; curproxy->ck_opts |= PR_CK_PFX;
} }
else if (!strcmp(args[cur_arg], "httponly")) {
curproxy->ck_opts |= PR_CK_HTTPONLY;
}
else if (!strcmp(args[cur_arg], "secure")) {
curproxy->ck_opts |= PR_CK_SECURE;
}
else if (!strcmp(args[cur_arg], "domain")) { else if (!strcmp(args[cur_arg], "domain")) {
if (!*args[cur_arg + 1]) { if (!*args[cur_arg + 1]) {
Alert("parsing [%s:%d]: '%s' expects <domain> as argument.\n", Alert("parsing [%s:%d]: '%s' expects <domain> as argument.\n",

6
src/proto_http.c
View File

@ -5085,6 +5085,12 @@ int http_process_res_common(struct session *t, struct buffer *rep, int an_bit, s
if (t->be->cookie_domain) if (t->be->cookie_domain)
len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain); len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain);
if (t->be->ck_opts & PR_CK_HTTPONLY)
len += sprintf(trash+len, "; HttpOnly");
if (t->be->ck_opts & PR_CK_SECURE)
len += sprintf(trash+len, "; Secure");
if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0)) if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0))
goto return_bad_resp; goto return_bad_resp;