Fossil SCM
Follow web app best practise by marking cookies as HttpOnly and, if it's over an https connection, as 'secure' so they will only be transmitted over https. Options supported by major browsers, and harmless where not supported.
Commit
e4b57a32303398ac4a0d239febecb622a8edd4c0
Parent
fc93bfb0f720e5d…
1 file changed
+8
-4
+8
-4
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -191,20 +191,24 @@ | ||
| 191 | 191 | const char *zName, /* Name of the cookie */ |
| 192 | 192 | const char *zValue, /* Value of the cookie. Automatically escaped */ |
| 193 | 193 | const char *zPath, /* Path cookie applies to. NULL means "/" */ |
| 194 | 194 | int lifetime /* Expiration of the cookie in seconds from now */ |
| 195 | 195 | ){ |
| 196 | + char *zSecure = ""; | |
| 196 | 197 | if( zPath==0 ) zPath = g.zTop; |
| 198 | + if( g.zBaseURL!=0 && strncmp(g.zBaseURL, "https:", 6)==0 ){ | |
| 199 | + zSecure = " secure;"; | |
| 200 | + } | |
| 197 | 201 | if( lifetime>0 ){ |
| 198 | 202 | lifetime += (int)time(0); |
| 199 | 203 | blob_appendf(&extraHeader, |
| 200 | - "Set-Cookie: %s=%t; Path=%s; expires=%z; Version=1\r\n", | |
| 201 | - zName, zValue, zPath, cgi_rfc822_datestamp(lifetime)); | |
| 204 | + "Set-Cookie: %s=%t; Path=%s; expires=%z; HttpOnly;%s Version=1\r\n", | |
| 205 | + zName, zValue, zPath, cgi_rfc822_datestamp(lifetime), zSecure); | |
| 202 | 206 | }else{ |
| 203 | 207 | blob_appendf(&extraHeader, |
| 204 | - "Set-Cookie: %s=%t; Path=%s; Version=1\r\n", | |
| 205 | - zName, zValue, zPath); | |
| 208 | + "Set-Cookie: %s=%t; Path=%s; HttpOnly;%s Version=1\r\n", | |
| 209 | + zName, zValue, zPath, zSecure); | |
| 206 | 210 | } |
| 207 | 211 | } |
| 208 | 212 | |
| 209 | 213 | #if 0 |
| 210 | 214 | /* |
| 211 | 215 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -191,20 +191,24 @@ | |
| 191 | const char *zName, /* Name of the cookie */ |
| 192 | const char *zValue, /* Value of the cookie. Automatically escaped */ |
| 193 | const char *zPath, /* Path cookie applies to. NULL means "/" */ |
| 194 | int lifetime /* Expiration of the cookie in seconds from now */ |
| 195 | ){ |
| 196 | if( zPath==0 ) zPath = g.zTop; |
| 197 | if( lifetime>0 ){ |
| 198 | lifetime += (int)time(0); |
| 199 | blob_appendf(&extraHeader, |
| 200 | "Set-Cookie: %s=%t; Path=%s; expires=%z; Version=1\r\n", |
| 201 | zName, zValue, zPath, cgi_rfc822_datestamp(lifetime)); |
| 202 | }else{ |
| 203 | blob_appendf(&extraHeader, |
| 204 | "Set-Cookie: %s=%t; Path=%s; Version=1\r\n", |
| 205 | zName, zValue, zPath); |
| 206 | } |
| 207 | } |
| 208 | |
| 209 | #if 0 |
| 210 | /* |
| 211 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -191,20 +191,24 @@ | |
| 191 | const char *zName, /* Name of the cookie */ |
| 192 | const char *zValue, /* Value of the cookie. Automatically escaped */ |
| 193 | const char *zPath, /* Path cookie applies to. NULL means "/" */ |
| 194 | int lifetime /* Expiration of the cookie in seconds from now */ |
| 195 | ){ |
| 196 | char *zSecure = ""; |
| 197 | if( zPath==0 ) zPath = g.zTop; |
| 198 | if( g.zBaseURL!=0 && strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 199 | zSecure = " secure;"; |
| 200 | } |
| 201 | if( lifetime>0 ){ |
| 202 | lifetime += (int)time(0); |
| 203 | blob_appendf(&extraHeader, |
| 204 | "Set-Cookie: %s=%t; Path=%s; expires=%z; HttpOnly;%s Version=1\r\n", |
| 205 | zName, zValue, zPath, cgi_rfc822_datestamp(lifetime), zSecure); |
| 206 | }else{ |
| 207 | blob_appendf(&extraHeader, |
| 208 | "Set-Cookie: %s=%t; Path=%s; HttpOnly;%s Version=1\r\n", |
| 209 | zName, zValue, zPath, zSecure); |
| 210 | } |
| 211 | } |
| 212 | |
| 213 | #if 0 |
| 214 | /* |
| 215 |