couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject svn commit: r1070264 - /couchdb/trunk/src/couchdb/couch_httpd_auth.erl
Date Sun, 13 Feb 2011 16:59:54 GMT
Author: rnewson
Date: Sun Feb 13 16:59:53 2011
New Revision: 1070264

URL: http://svn.apache.org/viewvc?rev=1070264&view=rev
Log:
set cookie security flags correctly when using built-in SSL

Modified:
    couchdb/trunk/src/couchdb/couch_httpd_auth.erl

Modified: couchdb/trunk/src/couchdb/couch_httpd_auth.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_auth.erl?rev=1070264&r1=1070263&r2=1070264&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd_auth.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd_auth.erl Sun Feb 13 16:59:53 2011
@@ -208,7 +208,7 @@ cookie_authentication_handler(#httpd{moc
     end.
 
 cookie_auth_header(#httpd{user_ctx=#user_ctx{name=null}}, _Headers) -> [];
-cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, true}}, Headers) ->
+cookie_auth_header(#httpd{user_ctx=#user_ctx{name=User}, auth={Secret, true}}=Req, Headers)
->
     % Note: we only set the AuthSession cookie if:
     %  * a valid AuthSession cookie has been received
     %  * we are outside a 10% timeout window
@@ -221,18 +221,18 @@ cookie_auth_header(#httpd{user_ctx=#user
     AuthSession = couch_util:get_value("AuthSession", Cookies),
     if AuthSession == undefined ->
         TimeStamp = make_cookie_time(),
-        [cookie_auth_cookie(?b2l(User), Secret, TimeStamp)];
+        [cookie_auth_cookie(Req, ?b2l(User), Secret, TimeStamp)];
     true ->
         []
     end;
 cookie_auth_header(_Req, _Headers) -> [].
 
-cookie_auth_cookie(User, Secret, TimeStamp) ->
+cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
     SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
     Hash = crypto:sha_mac(Secret, SessionData),
     mochiweb_cookies:cookie("AuthSession",
         couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)),
-        [{path, "/"}, {http_only, true}]). % TODO add {secure, true} when SSL is detected
+        [{path, "/"}, cookie_scheme(Req)]).
 
 hash_password(Password, Salt) ->
     ?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
@@ -277,7 +277,7 @@ handle_session_req(#httpd{method='POST',
             % setup the session cookie
             Secret = ?l2b(ensure_cookie_auth_secret()),
             CurrentTime = make_cookie_time(),
-            Cookie = cookie_auth_cookie(?b2l(UserName), <<Secret/binary, UserSalt/binary>>,
CurrentTime),
+            Cookie = cookie_auth_cookie(Req, ?b2l(UserName), <<Secret/binary, UserSalt/binary>>,
CurrentTime),
             % TODO document the "next" feature in Futon
             {Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
                 nil ->
@@ -293,7 +293,7 @@ handle_session_req(#httpd{method='POST',
                 ]});
         _Else ->
             % clear the session
-            Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, {http_only,
true}]),
+            Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
             send_json(Req, 401, [Cookie], {[{error, <<"unauthorized">>},{reason,
<<"Name or password is incorrect.">>}]})
     end;
 % get user info
@@ -323,7 +323,7 @@ handle_session_req(#httpd{method='GET', 
     end;
 % logout by deleting the session
 handle_session_req(#httpd{method='DELETE'}=Req) ->
-    Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, {http_only, true}]),
+    Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
     {Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
         nil ->
             {200, [Cookie]};
@@ -345,3 +345,9 @@ auth_name(String) when is_list(String) -
 make_cookie_time() ->
     {NowMS, NowS, _} = erlang:now(),
     NowMS * 1000000 + NowS.
+
+cookie_scheme(#httpd{mochi_req=MochiReq}) ->
+    case MochiReq:get(scheme) of
+        http -> {http_only, true};
+        https -> {secure, true}
+    end.



Mime
View raw message