mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: http: add support for "httponly" and "secure" cookie attributes

Browse Source 
httponly  This option tells haproxy to add an "HttpOnly" cookie attribute
             when a cookie is inserted. This attribute is used so that a
             user agent doesn't share the cookie with non-HTTP components.
             Please check RFC6265 for more information on this attribute.

   secure    This option tells haproxy to add a "Secure" cookie attribute when
             a cookie is inserted. This attribute is used so that a user agent
             never emits this cookie over non-secure channels, which means
             that a cookie learned with this flag will be presented only over
             SSL/TLS connections. Please check RFC6265 for more information on
             this attribute.
This commit is contained in:
Willy Tarreau 2012-05-31 21:02:17 +02:00
parent b5ba17e3a9
commit 4992dd2d30
4 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/configuration.txt
View File

@ -1891,8 +1891,8 @@ contimeout <timeout> (deprecated)
cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
[ postonly ] [ preserve ] [ domain <domain> ]*
[ maxidle <idle> ] [ maxlife <life> ]
[ postonly ] [ preserve ] [ httponly ] [ secure ]
[ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Enable cookie-based persistence in a backend.
May be used in sections : defaults | frontend | listen | backend
yes | no | yes | yes
@ -1990,6 +1990,18 @@ cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
shutdown because users will definitely leave the server after
they logout.
httponly This option tells haproxy to add an "HttpOnly" cookie attribute
when a cookie is inserted. This attribute is used so that a
user agent doesn't share the cookie with non-HTTP components.
Please check RFC6265 for more information on this attribute.
secure This option tells haproxy to add a "Secure" cookie attribute when
a cookie is inserted. This attribute is used so that a user agent
never emits this cookie over non-secure channels, which means
that a cookie learned with this flag will be presented only over
SSL/TLS connections. Please check RFC6265 for more information on
this attribute.
domain This option allows to specify the domain at which a cookie is
inserted. It requires exactly one parameter: a valid domain
name. If the domain begins with a dot, the browser is allowed to

2
include/types/proxy.h
View File

@ -169,6 +169,8 @@ enum {
#define PR_CK_NOC 0x00000010 /* add a 'Cache-control' header with the cookie */
#define PR_CK_POST 0x00000020 /* don't insert cookies for requests other than a POST */
#define PR_CK_PSV 0x00000040 /* cookie ... preserve */
#define PR_CK_HTTPONLY 0x00000080 /* emit the "HttpOnly" attribute */
#define PR_CK_SECURE 0x00000100 /* emit the "Secure" attribute */
/* bits for sticking rules */
#define STK_IS_MATCH 0x00000001 /* match on request fetch */

6
src/cfgparse.c
View File

@ -2161,6 +2161,12 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
else if (!strcmp(args[cur_arg], "prefix")) {
curproxy->ck_opts |= PR_CK_PFX;
}
else if (!strcmp(args[cur_arg], "httponly")) {
curproxy->ck_opts |= PR_CK_HTTPONLY;
}
else if (!strcmp(args[cur_arg], "secure")) {
curproxy->ck_opts |= PR_CK_SECURE;
}
else if (!strcmp(args[cur_arg], "domain")) {
if (!*args[cur_arg + 1]) {
Alert("parsing [%s:%d]: '%s' expects <domain> as argument.\n",

6
src/proto_http.c
View File

@ -5085,6 +5085,12 @@ int http_process_res_common(struct session *t, struct buffer *rep, int an_bit, s
if (t->be->cookie_domain)
len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain);
if (t->be->ck_opts & PR_CK_HTTPONLY)
len += sprintf(trash+len, "; HttpOnly");
if (t->be->ck_opts & PR_CK_SECURE)
len += sprintf(trash+len, "; Secure");
if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0))
goto return_bad_resp;