-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathwt.patch
142 lines (125 loc) · 5.26 KB
/
wt.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
commit 2ca0124debad50e072b47c34cdc0dd1dfc5ffa67
Author: Matthew Sherborne <[email protected]>
Date: Sat Sep 24 13:33:53 2011 +1000
secure cookies patch
diff --git a/Changelog b/Changelog
index 8ed8f96..e6e313c 100644
--- a/Changelog
+++ b/Changelog
@@ -87,6 +87,12 @@
* WMenu, WMenuItem, WSubMenuItem: simplifiy internal path handling with submenus
+17-07-2011:
+ * WApplication, WWebSession: Cookies now support 'secure' and
+ 'httpOnly' flags. 'httpOnly' now defaults to true; this may
+ affect some apps that relied on Javascript reading cookie
+ values.
+
15-07-2011:
* examples/feature/broadcast: add an example that illustrates
server push, WServer::post() and synchronizing a shared resource
diff --git a/src/Wt/WApplication b/src/Wt/WApplication
index 79292c4..044be3f 100644
--- a/src/Wt/WApplication
+++ b/src/Wt/WApplication
@@ -1441,6 +1441,15 @@ public:
* By default the cookie only applies to the current path on the
* current domain. To set a proper value for domain, see also RFC2109.
*
+ * The httpOnly flag, which now defaults to true prevents the cookie from
+ * being read on the client side by Javscript. This protects it from XSS
+ * attacks.
+ *
+ * If you know you're on a https connection and the cookie is to do with
+ * security, you should set 'secure' to true. When 'secure' is set, most
+ * browsers will only send the cookie when connected via https. This can
+ * help defend against certain hack attempts.
+ *
* \if cpp
* \note %Wt provides session tracking automatically, and may be configured
* to use a cookie for this. You only need to use cookies yourself
@@ -1451,7 +1460,8 @@ public:
*/
void setCookie(const std::string& name, const std::string& value,
int maxAge, const std::string& domain = "",
- const std::string& path = "");
+ const std::string& path = "",
+ bool httpOnly=true, bool secure=false);
/*! \brief Adds an HTML meta header.
*
diff --git a/src/Wt/WApplication.C b/src/Wt/WApplication.C
index 3c8bb31..4a778c0 100644
--- a/src/Wt/WApplication.C
+++ b/src/Wt/WApplication.C
@@ -925,9 +925,9 @@ void WApplication::setTwoPhaseRenderingThreshold(int bytes)
void WApplication::setCookie(const std::string& name, const std::string& value,
int maxAge, const std::string& domain,
- const std::string& path)
+ const std::string& path, bool httpOnly, bool secure)
{
- session_->renderer().setCookie(name, value, maxAge, domain, path);
+ session_->renderer().setCookie(name, value, maxAge, domain, path, httpOnly, secure);
}
void WApplication::addMetaHeader(const std::string& name,
diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C
index ab98aeb..b04fdc1 100644
--- a/src/web/WebRenderer.C
+++ b/src/web/WebRenderer.C
@@ -417,9 +417,10 @@ void WebRenderer::serveError(int status, WebResponse& response,
void WebRenderer::setCookie(const std::string name, const std::string value,
int maxAge, const std::string domain,
- const std::string path)
+ const std::string path,
+ bool httpOnly, bool secure)
{
- cookiesToSet_.push_back(Cookie(name, value, path, domain, maxAge));
+ cookiesToSet_.push_back(Cookie(name, value, path, domain, maxAge, httpOnly, secure));
}
void WebRenderer::setCaching(WebResponse& response, bool allowCache)
diff --git a/src/web/WebRenderer.h b/src/web/WebRenderer.h
index 193bf31..7e49a02 100644
--- a/src/web/WebRenderer.h
+++ b/src/web/WebRenderer.h
@@ -67,7 +67,8 @@ public:
void setCookie(const std::string name, const std::string value,
int maxAge, const std::string domain,
- const std::string path);
+ const std::string path,
+ bool httpOnly, bool secure);
bool preLearning() const { return learning_; }
void learningIncomplete();
@@ -83,9 +84,11 @@ private:
std::string path;
std::string domain;
int maxAge;
+ bool httpOnly;
+ bool secure;
- Cookie(std::string n, std::string v, std::string p, std::string d, int m)
- : name(n), value(v), path(p), domain(d), maxAge(m) { }
+ Cookie(std::string n, std::string v, std::string p, std::string d, int m, bool h, bool s)
+ : name(n), value(v), path(p), domain(d), maxAge(m), httpOnly(h), secure(s) { }
};
WebSession& session_;
diff --git a/src/web/WebSession.C b/src/web/WebSession.C
index 77e920e..a8f5c6e 100644
--- a/src/web/WebSession.C
+++ b/src/web/WebSession.C
@@ -141,7 +141,7 @@ WebSession::WebSession(WebController *controller,
log("notice") << "Session created";
#endif // WT_TARGET_JAVA
- renderer().setCookie("Wt" + sessionIdCookie_, "1", -1, "", "");
+ renderer().setCookie("Wt" + sessionIdCookie_, "1", -1, "", "", true, true);
}
void WebSession::setApplication(WApplication *app)
@@ -2256,12 +2256,12 @@ void WebSession::generateNewSessionId()
if (controller_->configuration().sessionTracking()
== Configuration::CookiesURL) {
std::string cookieName = env_->deploymentPath();
- renderer().setCookie(cookieName, sessionId_, -1, "", "");
+ renderer().setCookie(cookieName, sessionId_, -1, "", "", true, true);
}
sessionIdCookie_ = WRandom::generateId();
sessionIdCookieChanged_ = true;
- renderer().setCookie("Wt" + sessionIdCookie_, "1", -1, "", "");
+ renderer().setCookie("Wt" + sessionIdCookie_, "1", -1, "", "", true, true);
}
#endif // WT_TARGET_JAVA