Re: HttpOnly

[Adam Prime]

I had some time to kill tonight and after some screwing around produced
the attached patch which may or may not be useful.  It's for the C API
(I'm assuming anyway) and does pass on my laptop with the debian patch
applied.

I am not familiar with httpd or libapreq internals, and basically made
this up as I was going along, stealing what was already there, so any
feedback would be appreciated.

Adam

On 08/11/10 10:09 AM, Joe Schaefer wrote:
> The patch looks good to me too.  I'd been planning
> to implement this feature some weekend and the patch
> is pretty much how I'd do it, so I'd +1 it once the
> corresponding tests are written.
> 
> 
> 
> ----- Original Message ----
>> From: Issac Goldstand <mar...@beamartyr.net>
>> To: apreq-dev@httpd.apache.org
>> Sent: Mon, November 8, 2010 8:17:31 AM
>> Subject: Re: HttpOnly
>>
>> On 08/11/2010 12:48, Clinton Gormley wrote:
>>> Hi all
>>>
>>> Any  plans on adding support to Apache2::Cookie for the HttpOnly  flag?
>>>
>>> I see a patch in Debian which does this:
>>>
>>>  
> http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg543361.html
>>>
>>>  thanks
>>>
>>> Clint
>>>
>>>
>>
>> The patch looks ok to me at  first glance.  If you're willing to write
>> the unit test(s) for this, I'd  be happy to help push this .
>>
> 
> 
>       


Index: c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
===================================================================
--- c-modules/apreq_cookie_test/mod_apreq_cookie_test.c (revision 1032832)
+++ c-modules/apreq_cookie_test/mod_apreq_cookie_test.c (working copy)
@@ -80,6 +80,11 @@
         apr_table_add(r->headers_out, "Set-Cookie2",
                       apreq_cookie_as_string(cookie, r->pool));
     }
+    else if (strcmp(test, "httponly") == 0) {
+        apreq_cookie_httponly_on(cookie);
+        apr_table_add(r->headers_out, "Set-Cookie",
+                      apreq_cookie_as_string(cookie, r->pool));
+    }
     else {
         size = strlen(cookie->v.data);
         dest = apr_palloc(r->pool, size + 1);
Index: cookie.t
===================================================================
--- cookie.t    (revision 1032832)
+++ cookie.t    (working copy)
@@ -6,7 +6,7 @@
 use Apache::TestUtil;
 use Apache::TestRequest qw(GET_BODY GET_HEAD);
 
-plan tests => 5, need_lwp;
+plan tests => 6, need_lwp;
 
 require HTTP::Cookies;
 
@@ -59,3 +59,12 @@
                             Cookie => $cookie) =~ /^#Set-Cookie2:\s+(.+)/m;
     ok t_cmp($header, qq{$key="$value"; Version=1; path="$location"}, $test);
 }
+{
+    my $test  = 'httponly';
+    my $key   = 'apache';
+    my $value = 'ok';
+    my $cookie = "$key=$value; HttpOnly";
+    my ($header) = GET_HEAD("$location?test=$test&key=$key",
+                            Cookie => $cookie) =~ /^#Set-Cookie:\s+(.+)/m;
+    ok t_cmp($header, $cookie, $test);
+}