1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
$NetBSD: patch-aa,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
Index: auth_mellon_cookie.c
===================================================================
--- auth_mellon_cookie.c (revision 39)
+++ auth_mellon_cookie.c (working copy)
@@ -140,13 +140,18 @@
{
const char *name;
char *cookie;
+ int secure_cookie;
if (id == NULL)
return;
+ secure_cookie = ((am_dir_cfg_rec *)am_get_dir_cfg(r))->secure;
name = am_cookie_name(r);
- cookie = apr_psprintf(r->pool, "%s=%s; Version=1; Path=/", name, id);
+ cookie = apr_psprintf(r->pool,
+ "%s=%s; Version=1; Path=/; Domain=%s%s;",
+ name, id, r->server->server_hostname,
+ secure_cookie ? "; HttpOnly; secure" : "");
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"cookie_set: %s", cookie);
Index: auth_mellon.h
===================================================================
--- auth_mellon.h (revision 39)
+++ auth_mellon.h (working copy)
@@ -127,6 +127,7 @@
am_decoder_t decoder;
const char *varname;
+ int secure;
apr_hash_t *require;
apr_hash_t *envattr;
const char *userattr;
Index: README
===================================================================
--- README (revision 39)
+++ README (working copy)
@@ -161,6 +161,13 @@
# Default: "cookie"
MellonVariable "cookie"
+ # MellonSecureCookie enforces the HttpOnly and secure flags
+ # for the mod_mellon cookie
+ # Default: Off
+ MellonSecureCookie On
+
+ # MellonSecureCookie enforces the HttpOnly and secure flags
+ # for the mod_mellon cookie
# MellonUser selects which attribute we should use for the username.
# The username is passed on to other apache modules and to the web
# page the user visits. NAME_ID is an attribute which we set to
@@ -257,7 +264,6 @@
# certificate for the IdP.
# Default: None set.
MellonIdPCAFile /etc/apache2/mellon/ca.pem
-
</Location>
Index: auth_mellon_config.c
===================================================================
--- auth_mellon_config.c (revision 39)
+++ auth_mellon_config.c (working copy)
@@ -39,6 +39,10 @@
*/
static const char *default_cookie_name = "cookie";
+/* The default setting for cookie flags is to not enforce HttpOnly and secure
+ */
+static const int default_secure_cookie = 0;
+
/* This is the default IdP initiated login location
* the MellonDefaultLoginPath configuration directive if you change this.
*/
@@ -352,6 +356,14 @@
" be 'mellon-cookie'."
),
AP_INIT_TAKE1(
+ "MellonSecureCookie",
+ ap_set_flag_slot,
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, secure),
+ OR_AUTHCFG,
+ "Whether the cookie set by auth_mellon should have HttpOnly and"
+ " secure flags set. Default is off."
+ ),
+ AP_INIT_TAKE1(
"MellonUser",
ap_set_string_slot,
(void *)APR_OFFSETOF(am_dir_cfg_rec, userattr),
@@ -480,6 +492,7 @@
dir->decoder = am_decoder_default;
dir->varname = default_cookie_name;
+ dir->secure = default_secure_cookie;
dir->require = apr_hash_make(p);
dir->envattr = apr_hash_make(p);
dir->userattr = default_user_attribute;
@@ -541,6 +554,12 @@
add_cfg->varname :
base_cfg->varname);
+
+ new_cfg->secure = (add_cfg->secure != default_secure_cookie ?
+ add_cfg->secure :
+ base_cfg->secure);
+
+
new_cfg->require = apr_hash_copy(p,
(apr_hash_count(add_cfg->require) > 0) ?
add_cfg->require :
|
