logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to set attribute HttpOnly and Secure
Author
Ishan



Joined: 30 Mar 2016
Posts: 5

PostPosted: Wed 06 Apr '16 17:41    Post subject: How to set attribute HttpOnly and Secure Reply with quote

Setup : Apache 2.2.29 with mod_headers enabled. [WIn]
Problem : I am not able to set the "HttpOnly ;Secure" attribute for a cookie.
SOlutions tried :
1. httpd.conf : adding the following didnt help
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

2. In createCookie code :
static void
createCookie(request_rec* r, const char* content, const char* name) {
char* new_cookie = NULL;
int i = 0, length = 0;
apr_time_exp_t tms;
length = strlen(content);
if (length == 0)
return;
for (i = 0; i < length; ++i) {
if(!isprint(content[i]))
return;
}

apr_time_exp_gmt(&tms, r->request_time + apr_time_from_sec(60*60*24*365));
new_cookie = apr_psprintf(r->pool,
"%s=%s; HttpOnly; Secure;",
name, content);
if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; Secure; " , "/" );
}
else {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; " , "/" );
}
apr_table_add(r->headers_out, "Set-Cookie", new_cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", new_cookie);

}
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 08 Apr '16 17:36    Post subject: Reply with quote

If you use PHP there you can set that in php.ini
What kind of Software do you use to create the cookies?
Back to top
Ishan



Joined: 30 Mar 2016
Posts: 5

PostPosted: Mon 11 Apr '16 9:38    Post subject: Reply with quote

Its a custom C++ program that invokes Apache through httpd main function.
I have 2 functions namely createCookie and setSessionID.
the secure attribute works fine for setSessionID but not for createCookie.

I want to add Secure attribute for all my cookies using createCookie , is there something wrong with code or settin g the attributes at cookie creation time ?
Code for both is as below( Notice the similarity between both )

static void
createCookie(request_rec* r, const char* content, const char* name) {
char* new_cookie = NULL;
int i = 0, length = 0;
apr_time_exp_t tms;
length = strlen(content);
if (length == 0)
return;
for (i = 0; i < length; ++i) {
if(!isprint(content[i]))
return;
}

apr_time_exp_gmt(&tms, r->request_time + apr_time_from_sec(60*60*24*365));
new_cookie = apr_psprintf(r->pool,
"%s=%s; expires=%s, "
"%.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
name, content, apr_day_snames[tms.tm_wday],
tms.tm_mday,
apr_month_snames[tms.tm_mon],
tms.tm_year % 100,
tms.tm_hour, tms.tm_min, tms.tm_sec);

if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
new_cookie = apr_psprintf(r->pool, "path=%s; HttpOnly; Secure; ","/");
}
else {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; ", "/");
}
apr_table_add(r->headers_out, "Set-Cookie", new_cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", new_cookie);

}


static void
setSessionID(request_rec* r, const char* sessionID)
{
char* cookie = NULL;
if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
cookie = apr_psprintf(r->pool, "%s=%s; path=%s; HttpOnly; Secure; ",
SESSION_IDENTIFIER, sessionID, "/");
}
else {
cookie = apr_psprintf(r->pool, "%s=%s;path=%s; HttpOnly; ",
SESSION_IDENTIFIER, sessionID, "/");
}
apr_table_add(r->headers_out, "Set-Cookie", cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", cookie);
}
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 12 Apr '16 20:50    Post subject: Reply with quote

Are you sure the code is getting into the if and not falling back to the else because for whatever reason checkHttps or checkHttps(r->connection) == False?

I think I would add "Insecure" to the else side and see if that is showing up instead of what is expected.

Code:
if (checkHttps && checkHttps(r->connection)) {
new_cookie = apr_psprintf(r->pool, "path=%s; HttpOnly; Secure; ","/");
}
else {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; Insecure; ", "/");
}


It should be ignored by the client but sill show in the headers (If I'm reading the RFC correctly)
Back to top


Reply to topic   Topic: How to set attribute HttpOnly and Secure View previous topic :: View next topic
Post new topic   Forum Index -> Apache