Topic: How to set attribute HttpOnly and Secure

[Ishan]

Setup : Apache 2.2.29 with mod_headers enabled. [WIn]
Problem : I am not able to set the "HttpOnly ;Secure" attribute for a cookie.
SOlutions tried :
1. httpd.conf : adding the following didnt help
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

2. In createCookie code :
static void
createCookie(request_rec* r, const char* content, const char* name) {
char* new_cookie = NULL;
int i = 0, length = 0;
apr_time_exp_t tms;
length = strlen(content);
if (length == 0)
return;
for (i = 0; i < length; ++i) {
if(!isprint(content[i]))
return;
}

apr_time_exp_gmt(&tms, r->request_time + apr_time_from_sec(60*60*24*365));
new_cookie = apr_psprintf(r->pool,
"%s=%s; HttpOnly; Secure;",
name, content);
if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; Secure; " , "/" );
}
else {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; " , "/" );
}
apr_table_add(r->headers_out, "Set-Cookie", new_cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", new_cookie);

}

[James Blond]

If you use PHP there you can set that in php.ini
What kind of Software do you use to create the cookies?

[Ishan]

Its a custom C++ program that invokes Apache through httpd main function.
I have 2 functions namely createCookie and setSessionID.
the secure attribute works fine for setSessionID but not for createCookie.

I want to add Secure attribute for all my cookies using createCookie , is there something wrong with code or settin g the attributes at cookie creation time ?
Code for both is as below( Notice the similarity between both )

static void
createCookie(request_rec* r, const char* content, const char* name) {
char* new_cookie = NULL;
int i = 0, length = 0;
apr_time_exp_t tms;
length = strlen(content);
if (length == 0)
return;
for (i = 0; i < length; ++i) {
if(!isprint(content[i]))
return;
}

apr_time_exp_gmt(&tms, r->request_time + apr_time_from_sec(60*60*24*365));
new_cookie = apr_psprintf(r->pool,
"%s=%s; expires=%s, "
"%.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
name, content, apr_day_snames[tms.tm_wday],
tms.tm_mday,
apr_month_snames[tms.tm_mon],
tms.tm_year % 100,
tms.tm_hour, tms.tm_min, tms.tm_sec);

if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
new_cookie = apr_psprintf(r->pool, "path=%s; HttpOnly; Secure; ","/");
}
else {
new_cookie = apr_psprintf(r->pool, " path=%s; HttpOnly; ", "/");
}
apr_table_add(r->headers_out, "Set-Cookie", new_cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", new_cookie);

}


static void
setSessionID(request_rec* r, const char* sessionID)
{
char* cookie = NULL;
if (!checkHttps)
checkHttps = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);

if (checkHttps && checkHttps(r->connection)) {
cookie = apr_psprintf(r->pool, "%s=%s; path=%s; HttpOnly; Secure; ",
SESSION_IDENTIFIER, sessionID, "/");
}
else {
cookie = apr_psprintf(r->pool, "%s=%s;path=%s; HttpOnly; ",
SESSION_IDENTIFIER, sessionID, "/");
}
apr_table_add(r->headers_out, "Set-Cookie", cookie);
apr_table_add(r->err_headers_out, "Set-Cookie", cookie);
}

[glsmith]

Are you sure the code is getting into the if and not falling back to the else because for whatever reason checkHttps or checkHttps(r->connection) == False?

I think I would add "Insecure" to the else side and see if that is showing up instead of what is expected.