Project

General

Profile

Feature #2795

mod_usertrack should have an option to set the 'Secure' and 'HttpOnly' flags on the cookie

Added by errietta 7 months ago. Updated 7 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_usertrack
Target version:
Start date:
2017-02-27
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Currently the cookie set by the mod_usertrack module does not have the secure flag or httponly flag on. There should be an option for the cookie to be set with these flags on.
E.g.

Set-Cookie: cookie_name; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly

Associated revisions

Revision 8ddb727d (diff)
Added by gstrauss 7 months ago

[mod_usertrack] usertrack.cookie-attrs config opt (fixes #2795)

usertrack.cookie-attrs allows user to add arbitrary attributes to the
cookie set by mod_usertrack, including attributes Secure and HttpOnly
as well as Path

usertrack.cookie-attrs is appended as-is to cookie string
and therefore must be properly URL-encoded

usertrack.cookie-attrs, if set, replaces *all* other cookie attributes,
including "; Path=/; Version=1" as well as the Domain= and Max-Age=
attributes if usertrack.cookie-domain and usetrack.cookie-max-age set,
so those should be part of usertrack.cookie-attrs if desired

e.g.
usertrack.cookie-name = "TRACKID" # (default)
usertrack.cookie-attrs = "; Path=/; Version=1; Domain=mydom.com; Max-Age=86400; Secure; HttpOnly"

x-ref:
"mod_usertrack should have an option to set the 'Secure' and 'HttpOnly' flags on the cookie"
https://redmine.lighttpd.net/issues/2795

History

#1 Updated by gstrauss 7 months ago

  • Category set to mod_usertrack
  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.46

untested patch forthcoming, so feedback appreciated

#2 Updated by gstrauss 7 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

#3 Updated by errietta 7 months ago

gstrauss wrote:

Applied in changeset 8ddb727d5c505ec206446879897f9646e97ff1b3.

Works fine thanks!

errietta@Moltres [2]  ~/lighty % curl -k --head https://localhost:8081/                                                                                                                                       8 2254 20:34:56 Mon 27.02.2017
HTTP/1.1 200 OK
Set-Cookie: TRACKID=85532de0e816b830e1eff4f23fd828c4; Path=/; Version=1;  Max-Age=86400; Secure; HttpOnly

Also available in: Atom