PR64077: samesite/httponly/secure flags for usertrack

Submitted By: Prashant Keshvani <prashant2400 gmail.com>, Eric Covener Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874389 13f79535-47bb-0310-9956-ffa450edef68
author: Eric Covener <covener@apache.org> 2020-02-22 18:10:10 +0100
committer: Eric Covener <covener@apache.org> 2020-02-22 18:10:10 +0100
commit: 9fd6207efa1b44c03c53f8cc4917da78c19e95a7 (patch)
tree: f7ae5b5c27b19f70ea8f89e1f729084b81396c98
parent: Avoid printing NULL strings in logs (diff)
download: apache2-9fd6207efa1b44c03c53f8cc4917da78c19e95a7.tar.xz
apache2-9fd6207efa1b44c03c53f8cc4917da78c19e95a7.zip
3 files changed, 127 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 552d37dbdf..df84a145c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+
+  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure 
+     to allow customization of the usertrack cookie. PR64077.
+     [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
+    
   *) mpm_event: avoid possible KeepAlveTimeout off by -100 ms.
      [Eric Covener, Yann Ylavic]
 
diff --git a/docs/manual/mod/mod_usertrack.xml b/docs/manual/mod/mod_usertrack.xml
index 564c55ed8f..bc38322270 100644
--- a/docs/manual/mod/mod_usertrack.xml
+++ b/docs/manual/mod/mod_usertrack.xml
@@ -222,4 +222,71 @@ CustomLog "logs/clickstream.log" usertrack
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>CookieSecure</name>
+<description>Adds the 'Secure' attribute to the cookie</description>
+<syntax>CookieSecure on|off</syntax>
+<default>CookieSecure off</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+    <p>When set to 'ON', the 'Secure' cookie attribute is added to this 
+    modules tracking cookie. This attribute instructs browsers to only
+    transmit the cookie over HTTPS.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieHTTPOnly</name>
+<description>Adds the 'HTTPOnly' attribute to the cookie</description>
+<syntax>CookieHTTPOnlyon|off</syntax>
+<default>CookieHTTPOnlyoff</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+    <p>When set to 'ON', the 'HTTPOnly' cookie attribute is added to this 
+    modules tracking cookie. This attribute instructs browsers to block javascript
+    from reading the value of the cookie</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>CookieSameSite</name>
+<description>Adds the 'SameSite' attribute to the cookie</description>
+<syntax>CookieSameSite None|Lax|Strict</syntax>
+<default>unset</default>
+<contextlist>
+<context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>FileInfo</override>
+
+<usage>
+    <p>When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute 
+    is added to this modules tracking cookie with the corresponding value.  
+    This attribute instructs browser on how to treat the cookie when it is 
+    requested in a cross-site context.  </p>
+
+     <note type="Warning">
+        <p>A value of 'None' sets 'SameSite=None', which is the most liberal setting. To 
+        omit this attribute, omit the directive entirely.</p>
+    </note>
+  
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>
diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
index 73a9f45cc6..65759c2120 100644
--- a/modules/metadata/mod_usertrack.c
+++ b/modules/metadata/mod_usertrack.c
@@ -86,6 +86,9 @@ typedef struct {
     const char *cookie_domain;
     char *regexp_string;  /* used to compile regexp; save for debugging */
     ap_regex_t *regexp;  /* used to find usertrack cookie in cookie header */
+    int is_secure;
+    int is_httponly;
+    const char *samesite;
 } cookie_dir_rec;
 
 /* Make Cookie: Now we have to generate something that is going to be
@@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
                                   : ""),
                                  NULL);
     }
+    if (dcfg->samesite != NULL) {
+        new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
+                                 dcfg->samesite,
+                                 NULL);
+    }
+    if (dcfg->is_secure) {
+        new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
+                                 NULL);
+    }
+    if (dcfg->is_httponly) {
+        new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
+                                 NULL);
+    }
+
+
 
     apr_table_addn(r->err_headers_out,
                    (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
@@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d)
     dcfg->cookie_domain = NULL;
     dcfg->style = CT_UNSET;
     dcfg->enabled = 0;
+    /* calloc'ed to disabled: samesite, is_secure, is_httponly */
 
     /* In case the user does not use the CookieName directive,
      * we need to compile the regexp for the default cookie name. */
@@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
     return NULL;
 }
 
+/* 
+ * SameSite enabled disabled 
+ */ 
+
+static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
+                                    const char *name)
+{
+    cookie_dir_rec *dcfg;
+
+    dcfg = (cookie_dir_rec *) mconfig;
+
+    if (strcasecmp(name, "strict") == 0) {
+        dcfg->samesite = "SameSite=Strict"; 
+    } else if (strcasecmp(name, "lax") == 0) {
+        dcfg->samesite = "SameSite=Lax"; 
+    } else if (strcasecmp(name, "none") == 0) {
+        dcfg->samesite = "SameSite=None"; 
+    } else {
+        return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
+    }
+
+    
+    return NULL;
+}
+
 static const command_rec cookie_log_cmds[] = {
     AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
                   "an expiry date code"),
@@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = {
                  "whether or not to enable cookies"),
     AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
                   "name of the tracking cookie"),
+                  AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
+                 "whether or not to enable cookies"),
+    AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
+                  "SameSite setting"),
+    AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, 
+                 (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
+                 "is cookie secure"),
+    AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, 
+                 (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
+                 "is cookie http only"),
+
     {NULL}
 };
author	Eric Covener <covener@apache.org>	2020-02-22 18:10:10 +0100
committer	Eric Covener <covener@apache.org>	2020-02-22 18:10:10 +0100
commit	9fd6207efa1b44c03c53f8cc4917da78c19e95a7 (patch)
tree	f7ae5b5c27b19f70ea8f89e1f729084b81396c98
parent	Avoid printing NULL strings in logs (diff)
download	apache2-9fd6207efa1b44c03c53f8cc4917da78c19e95a7.tar.xz apache2-9fd6207efa1b44c03c53f8cc4917da78c19e95a7.zip