httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r644748 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_session_cookie.xml include/util_cookies.h modules/session/config.m4 modules/session/mod_session_cookie.c server/Makefile.in server/util_cookies.c
Date Fri, 04 Apr 2008 16:02:31 GMT
Author: minfrin
Date: Fri Apr  4 09:02:22 2008
New Revision: 644748

URL: http://svn.apache.org/viewvc?rev=644748&view=rev
Log:
mod_session_cookie: Add a session implementation capable of storing
session information within cookies on the browser. Useful for high
volume sites where server bound sessions are too resource intensive.

Added:
    httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml
    httpd/httpd/trunk/include/util_cookies.h
    httpd/httpd/trunk/modules/session/mod_session_cookie.c
    httpd/httpd/trunk/server/util_cookies.c
Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/session/config.m4
    httpd/httpd/trunk/server/Makefile.in

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=644748&r1=644747&r2=644748&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr  4 09:02:22 2008
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_session_cookie: Add a session implementation capable of storing
+     session information within cookies on the browser. Useful for high
+     volume sites where server bound sessions are too resource intensive.
+     [Graham Leggett]
+
   *) mod_session: Add a generic session interface to unify the different
      attempts at saving persistent sessions across requests.
      [Graham Leggett]

Added: httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml?rev=644748&view=auto
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml (added)
+++ httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml Fri Apr  4 09:02:22 2008
@@ -0,0 +1,156 @@
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: 634760 $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<modulesynopsis metafile="mod_session_cookie.xml.meta">
+
+<name>mod_session_cookie</name>
+<description>Cookie based session support</description>
+<status>Extension</status>
+<sourcefile>mod_session_cookie.c</sourcefile>
+<identifier>session_cookie_module</identifier>
+
+<summary>
+    <note type="warning"><title>Warning</title>
+      <p>The session modules make use of HTTP cookies, and as such can fall
+      victim to Cross Site Scripting attacks, or expose potentially private
+      information to clients. Please ensure that the relevant risks have
+      been taken into account before enabling the session functionality on
+      your server.</p>
+    </note>
+
+    <p>This submodule of <module>mod_session</module> provides support
for the
+    storage of user sessions on the remote browser within HTTP cookies.</p>
+    
+    <p>Using cookies to store a session removes the need for the server or
+    a group of servers to store the session locally, or collaborate to share
+    a session, and can be useful for high traffic environments where a
+    server based session might be too resource intensive.</p>
+    
+    <p>If session privacy is required, the <module>mod_session_crypto</module>
+    module can be used to encrypt the contents of the session before writing
+    the session to the client.</p>
+    
+    <p>For more details on the session interface, see the documentation for
+    the <module>mod_session</module> module.</p>
+    
+</summary>
+<seealso><module>mod_session</module></seealso>
+<seealso><module>mod_session_crypto</module></seealso>
+<seealso><module>mod_session_dbd</module></seealso>
+
+    <section id="basicexamples"><title>Basic Examples</title>
+    
+      <p>To create a simple session and store it in a cookie called
+      <var>session</var>, configure the session as follows:</p>
+      
+      <example><title>Browser based session</title>
+        Session On<br />
+        SessionCookieName session path=/<br />
+      </example>
+      
+      <p>For more examples on how the session can be configured to be read
+      from and written to by a CGI application, see the
+      <module>mod_session</module> examples section.</p>
+      
+      <p>For documentation on how the session can be used to store username
+      and password details, see the <module>mod_auth_form</module> module.</p>
+
+    </section>
+
+<directivesynopsis>
+<name>SessionCookieName</name>
+<description>Name and attributes for the RFC2109 cookie storing the session</description>
+<syntax>SessionCookieName <var>name</var> <var>attributes</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+    <p>The <directive>SessionCookieName</directive> directive specifies
the name and
+    optional attributes of an RFC2109 compliant cookie inside which the session will
+    be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP
header.
+    </p>
+    
+    <p>An optional list of cookie attributes can be specified, as per the example below.
+    These attributes are inserted into the cookie as is, and are not interpreted by
+    Apache. Ensure that your attributes are defined correctly as per the cookie specification.
+    </p>
+    
+    <example><title>Cookie with attributes</title>
+      Session On<br />
+      SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;<br
/>
+    </example>
+
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCookieName2</name>
+<description>Name and attributes for the RFC2965 cookie storing the session</description>
+<syntax>SessionCookieName2 <var>name</var> <var>attributes</var></syntax>
+<default>none</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+    <p>The <directive>SessionCookieName2</directive> directive specifies
the name and
+    optional attributes of an RFC2965 compliant cookie inside which the session will
+    be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP
header.
+    </p>
+    
+    <p>An optional list of cookie attributes can be specified, as per the example below.
+    These attributes are inserted into the cookie as is, and are not interpreted by
+    Apache. Ensure that your attributes are defined correctly as per the cookie specification.
+    </p>
+    
+    <example><title>Cookie2 with attributes</title>
+      Session On<br />
+      SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;<br
/>
+    </example>
+
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SessionCookieRemove</name>
+<description>Control for whether session cookies should be removed from incoming HTTP
headers</description>
+<syntax>SessionCookieRemove On|Off</syntax>
+<default>SessionCookieRemove Off</default>
+<contextlist><context>directory</context>
+</contextlist>
+<compatibility>Available in Apache 2.3.0 and later</compatibility>
+
+<usage>
+    <p>The <directive>SessionCookieRemove</directive> flag controls whether
the cookies
+    containing the session will be removed from the headers during request processing.</p>
+    
+    <p>In a reverse proxy situation where the Apache server acts as a server frontend
for
+    a backend origin server, revealing the contents of the session cookie to the backend
+    could be a potential privacy violation. When set to on, the session cookie will be
+    removed from the incoming HTTP headers.</p>
+
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>

Added: httpd/httpd/trunk/include/util_cookies.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/util_cookies.h?rev=644748&view=auto
==============================================================================
--- httpd/httpd/trunk/include/util_cookies.h (added)
+++ httpd/httpd/trunk/include/util_cookies.h Fri Apr  4 09:02:22 2008
@@ -0,0 +1,120 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file util_cookies.h
+ * @brief Apache cookie library
+ */
+
+#ifndef UTIL_COOKIES_H
+#define UTIL_COOKIES_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @defgroup APACHE_CORE_COOKIE Cookies
+ * @ingroup  APACHE_CORE
+ *
+ * RFC2109 and RFC2965 compliant HTTP cookies can be read from and written
+ * to using this set of functions.
+ *
+ */
+
+#include "apr_errno.h"
+#include "httpd.h"
+
+#define SET_COOKIE "Set-Cookie"
+#define SET_COOKIE2 "Set-Cookie2"
+#define DEFAULT_ATTRS "HttpOnly;Secure;Version=1"
+#define CLEAR_ATTRS "Max-Age=0;Version=1"
+
+typedef struct {
+    request_rec *r;
+    const char *name;
+    const char *encoded;
+    apr_table_t *new_cookies;
+    int duplicated;
+} ap_cookie_do;
+
+/**
+ * Write an RFC2109 compliant cookie.
+ *
+ * @param r The request
+ * @param name The name of the cookie.
+ * @param val The value to place in the cookie.
+ * @param attrs The string containing additional cookie attributes. If NULL, the
+ *              DEFAULT_ATTRS will be used.
+ * @param maxage If non zero, a Max-Age header will be added to the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val,
+                                         const char *attrs, long maxage);
+
+/**
+ * Write an RFC2965 compliant cookie.
+ *
+ * @param r The request
+ * @param name2 The name of the cookie.
+ * @param val The value to place in the cookie.
+ * @param attrs2 The string containing additional cookie attributes. If NULL, the
+ *               DEFAULT_ATTRS will be used.
+ * @param maxage If non zero, a Max-Age header will be added to the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char
*val,
+                                          const char *attrs2, long maxage);
+
+/**
+ * Remove an RFC2109 compliant cookie.
+ *
+ * @param r The request
+ * @param name The name of the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name);
+
+/**
+ * Remove an RFC2965 compliant cookie.
+ *
+ * @param r The request
+ * @param name2 The name of the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2);
+
+/**
+ * Read a cookie called name, placing its value in val.
+ *
+ * Both the Cookie and Cookie2 headers are scanned for the cookie.
+ *
+ * If the cookie is duplicated, this function returns APR_EGENERAL. If found,
+ * and if remove is non zero, the cookie will be removed from the headers, and
+ * thus kept private from the backend.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_read(request_rec * r, const char *name, const char **val,
+                                        int remove);
+
+/**
+ * Sanity check a given string that it exists, is not empty,
+ * and does not contain the special characters '=', ';' and '&'.
+ *
+ * It is used to sanity check the cookie names.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_check_string(const char *string);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* !UTIL_COOKIES_H */

Modified: httpd/httpd/trunk/modules/session/config.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/config.m4?rev=644748&r1=644747&r2=644748&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/session/config.m4 (original)
+++ httpd/httpd/trunk/modules/session/config.m4 Fri Apr  4 09:02:22 2008
@@ -10,7 +10,7 @@
 dnl various places, such as databases, LDAP, or cookies.
 dnl
 APACHE_MODULE(session, session module, , , most)
-dnl APACHE_MODULE(session_cookie, session cookie module, , , most)
+APACHE_MODULE(session_cookie, session cookie module, , , most)
 dnl APACHE_MODULE(session_crypto, session crypto module, , , most)
 dnl APACHE_MODULE(session_dbd, session dbd module, , , most)
 dnl APACHE_MODULE(session_ldap, session ldap module, , , most)

Added: httpd/httpd/trunk/modules/session/mod_session_cookie.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_cookie.c?rev=644748&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/session/mod_session_cookie.c (added)
+++ httpd/httpd/trunk/modules/session/mod_session_cookie.c Fri Apr  4 09:02:22 2008
@@ -0,0 +1,269 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define CORE_PRIVATE
+
+#include "mod_session.h"
+#include "apr_lib.h"
+#include "apr_strings.h"
+#include "http_log.h"
+#include "util_cookies.h"
+
+#define LOG_PREFIX "mod_session_cookie: "
+#define MOD_SESSION_COOKIE "mod_session_cookie"
+
+module AP_MODULE_DECLARE_DATA session_cookie_module;
+
+/**
+ * Structure to carry the per-dir session config.
+ */
+typedef struct {
+    const char *name;
+    int name_set;
+    const char *name_attrs;
+    const char *name2;
+    int name2_set;
+    const char *name2_attrs;
+    int remove;
+    int remove_set;
+} session_cookie_dir_conf;
+
+/**
+ * Set the cookie and embed the session within it.
+ *
+ * This function adds an RFC2109 compliant Set-Cookie header for
+ * the cookie specified in SessionCookieName, and an RFC2965 compliant
+ * Set-Cookie2 header for the cookie specified in SessionCookieName2.
+ *
+ * If specified, the optional cookie attributes will be added to
+ * each cookie. If defaults are not specified, DEFAULT_ATTRS
+ * will be used.
+ *
+ * On success, this method will return APR_SUCCESS.
+ *
+ * @param r The request pointer.
+ * @param z A pointer to where the session will be written.
+ */
+AP_DECLARE(int) ap_session_cookie_save(request_rec * r, session_rec * z)
+{
+
+    session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+                                                    &session_cookie_module);
+
+    /* don't cache auth protected pages */
+    apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
+
+    /* create RFC2109 compliant cookie */
+    if (conf->name_set) {
+        if (z->encoded && z->encoded[0]) {
+            ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs, z->maxage);
+        }
+        else {
+            ap_cookie_remove(r, conf->name);
+        }
+    }
+
+    /* create RFC2965 compliant cookie */
+    if (conf->name2_set) {
+        if (z->encoded && z->encoded[0]) {
+            ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs, z->maxage);
+        }
+        else {
+            ap_cookie_remove2(r, conf->name2);
+        }
+    }
+
+    if (conf->name_set || conf->name2_set) {
+        return OK;
+    }
+    return DECLINED;
+
+}
+
+/**
+ * Isolate the cookie with the name "name", and if present, extract
+ * the payload from the cookie.
+ *
+ * If the cookie is found, the cookie and any other cookies with the
+ * same name are removed from the cookies passed in the request, so
+ * that credentials are not leaked to a backend server or process.
+ *
+ * A missing or malformed cookie will cause this function to return
+ * APR_EGENERAL.
+ *
+ * On success, this returns APR_SUCCESS.
+ */
+AP_DECLARE(int) ap_session_cookie_load(request_rec * r, session_rec ** z)
+{
+
+    session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+                                                    &session_cookie_module);
+
+    session_rec *zz = NULL;
+    const char *val = NULL;
+    const char *note = NULL;
+    const char *name = NULL;
+    request_rec *m = r->main ? r->main : r;
+
+    /* is our session in a cookie? */
+    if (conf->name2_set) {
+        name = conf->name2;
+    }
+    else if (conf->name_set) {
+        name = conf->name;
+    }
+    else {
+        return DECLINED;
+    }
+
+    /* first look in the notes */
+    note = apr_pstrcat(r->pool, MOD_SESSION_COOKIE, name, NULL);
+    zz = (session_rec *)apr_table_get(m->notes, note);
+    if (zz) {
+        *z = zz;
+        return OK;
+    }
+
+    /* otherwise, try parse the cookie */
+    ap_cookie_read(r, name, &val, conf->remove);
+
+    /* create a new session and return it */
+    zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec));
+    zz->pool = r->pool;
+    zz->entries = apr_table_make(r->pool, 10);
+    zz->encoded = val;
+    zz->uuid = (apr_uuid_t *) apr_pcalloc(r->pool, sizeof(apr_uuid_t));
+    *z = zz;
+
+    /* put the session in the notes so we don't have to parse it again */
+    apr_table_setn(m->notes, note, (char *)zz);
+
+    return OK;
+
+}
+
+
+
+static void *create_session_cookie_dir_config(apr_pool_t * p, char *dummy)
+{
+    session_cookie_dir_conf *new =
+    (session_cookie_dir_conf *) apr_pcalloc(p, sizeof(session_cookie_dir_conf));
+
+    return (void *) new;
+}
+
+static void *merge_session_cookie_dir_config(apr_pool_t * p, void *basev, void *addv)
+{
+    session_cookie_dir_conf *new = (session_cookie_dir_conf *) apr_pcalloc(p, sizeof(session_cookie_dir_conf));
+    session_cookie_dir_conf *add = (session_cookie_dir_conf *) addv;
+    session_cookie_dir_conf *base = (session_cookie_dir_conf *) basev;
+
+    new->name = (add->name_set == 0) ? base->name : add->name;
+    new->name_attrs = (add->name_set == 0) ? base->name_attrs : add->name_attrs;
+    new->name_set = add->name_set || base->name_set;
+    new->name2 = (add->name2_set == 0) ? base->name2 : add->name2;
+    new->name2_attrs = (add->name2_set == 0) ? base->name2_attrs : add->name2_attrs;
+    new->name2_set = add->name2_set || base->name2_set;
+    new->remove = (add->remove_set == 0) ? base->remove : add->remove;
+    new->remove_set = add->remove_set || base->remove_set;
+
+    return new;
+}
+
+/**
+ * Sanity check a given string that it exists, is not empty,
+ * and does not contain special characters.
+ */
+static const char *check_string(cmd_parms * cmd, const char *string)
+{
+    if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&'))
{
+        return apr_pstrcat(cmd->pool, cmd->directive->directive,
+                           " cannot be empty, or contain '=' or '&'.",
+                           NULL);
+    }
+    return NULL;
+}
+
+static const char *set_cookie_name(cmd_parms * cmd, void *config, const char *args)
+{
+    char *last;
+    char *line = apr_pstrdup(cmd->pool, args);
+    session_cookie_dir_conf *conf = (session_cookie_dir_conf *) config;
+    char *cookie = apr_strtok(line, " \t", &last);
+    conf->name = cookie;
+    conf->name_set = 1;
+    while (apr_isspace(*last)) {
+        last++;
+    }
+    conf->name_attrs = last;
+    return check_string(cmd, cookie);
+}
+
+static const char *set_cookie_name2(cmd_parms * cmd, void *config, const char *args)
+{
+    char *last;
+    char *line = apr_pstrdup(cmd->pool, args);
+    session_cookie_dir_conf *conf = (session_cookie_dir_conf *) config;
+    char *cookie = apr_strtok(line, " \t", &last);
+    conf->name2 = cookie;
+    conf->name2_set = 1;
+    while (apr_isspace(*last)) {
+        last++;
+    }
+    conf->name2_attrs = last;
+    return check_string(cmd, cookie);
+}
+
+static const char *
+     set_remove(cmd_parms * parms, void *dconf, int flag)
+{
+    session_cookie_dir_conf *conf = dconf;
+
+    conf->remove = flag;
+    conf->remove_set = 1;
+
+    return NULL;
+}
+
+static const command_rec session_cookie_cmds[] =
+{
+    AP_INIT_RAW_ARGS("SessionCookieName", set_cookie_name, NULL, OR_AUTHCFG,
+                     "The name of the RFC2109 cookie carrying the session"),
+    AP_INIT_RAW_ARGS("SessionCookieName2", set_cookie_name2, NULL, OR_AUTHCFG,
+                     "The name of the RFC2965 cookie carrying the session"),
+    AP_INIT_FLAG("SessionCookieRemove", set_remove, NULL, OR_AUTHCFG,
+                 "Set to 'On' to remove the session cookie from the headers "
+                 "and hide the cookie from a backend server or process"),
+    {NULL}
+};
+
+static void register_hooks(apr_pool_t * p)
+{
+    ap_hook_session_load(ap_session_cookie_load, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_session_save(ap_session_cookie_save, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA session_cookie_module =
+{
+    STANDARD20_MODULE_STUFF,
+    create_session_cookie_dir_config, /* dir config creater */
+    merge_session_cookie_dir_config,  /* dir merger --- default is to
+                                       * override */
+    NULL,                             /* server config */
+    NULL,                             /* merge server config */
+    session_cookie_cmds,              /* command apr_table_t */
+    register_hooks                    /* register hooks */
+};

Modified: httpd/httpd/trunk/server/Makefile.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/Makefile.in?rev=644748&r1=644747&r2=644748&view=diff
==============================================================================
--- httpd/httpd/trunk/server/Makefile.in (original)
+++ httpd/httpd/trunk/server/Makefile.in Fri Apr  4 09:02:22 2008
@@ -11,7 +11,7 @@
 	config.c log.c main.c vhost.c util.c \
 	util_script.c util_md5.c util_cfgtree.c util_ebcdic.c util_time.c \
 	connection.c listen.c util_mutex.c \
-	mpm_common.c util_charset.c util_debug.c util_xml.c \
+	mpm_common.c util_charset.c util_cookies.c util_debug.c util_xml.c \
 	util_expr.c util_filter.c util_pcre.c exports.c \
 	scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \
 	eoc_bucket.c eor_bucket.c core_filters.c

Added: httpd/httpd/trunk/server/util_cookies.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_cookies.c?rev=644748&view=auto
==============================================================================
--- httpd/httpd/trunk/server/util_cookies.c (added)
+++ httpd/httpd/trunk/server/util_cookies.c Fri Apr  4 09:02:22 2008
@@ -0,0 +1,256 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define CORE_PRIVATE
+
+#include "util_cookies.h"
+#include "apr_lib.h"
+#include "apr_strings.h"
+#include "http_log.h"
+
+#define LOG_PREFIX "ap_cookie: "
+
+/**
+ * Write an RFC2109 compliant cookie.
+ *
+ * @param r The request
+ * @param name The name of the cookie.
+ * @param val The value to place in the cookie.
+ * @param attrs The string containing additional cookie attributes. If NULL, the
+ *              DEFAULT_ATTRS will be used.
+ * @param maxage If non zero, a Max-Age header will be added to the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val,
+                                         const char *attrs, long maxage)
+{
+
+    char *buffer;
+
+    /* handle expiry */
+    buffer = "";
+    if (maxage) {
+        buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);
+    }
+
+    /* create RFC2109 compliant cookie */
+    char *rfc2109 = apr_pstrcat(r->pool, name, "=", val, ";",
+                                buffer,
+                                attrs && strlen(attrs) > 0 ?
+                                attrs : DEFAULT_ATTRS, NULL);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX
+                  "user '%s' set cookie: '%s'", r->user, rfc2109);
+    apr_table_addn(r->headers_out, SET_COOKIE, rfc2109);
+
+    return APR_SUCCESS;
+
+}
+
+/**
+ * Write an RFC2965 compliant cookie.
+ *
+ * @param r The request
+ * @param name2 The name of the cookie.
+ * @param val The value to place in the cookie.
+ * @param attrs2 The string containing additional cookie attributes. If NULL, the
+ *               DEFAULT_ATTRS will be used.
+ * @param maxage If non zero, a Max-Age header will be added to the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_write2(request_rec * r, const char *name2, const char
*val,
+                                          const char *attrs2, long maxage)
+{
+
+    char *buffer;
+
+    /* handle expiry */
+    buffer = "";
+    if (maxage) {
+        buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";");
+    }
+
+    /* create RFC2965 compliant cookie */
+    char *rfc2965 = apr_pstrcat(r->pool, name2, "=", val, ";",
+                                buffer,
+                                attrs2 && strlen(attrs2) > 0 ?
+                                attrs2 : DEFAULT_ATTRS, NULL);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX
+                  "user '%s' set cookie2: '%s'", r->user, rfc2965);
+    apr_table_addn(r->headers_out, SET_COOKIE2, rfc2965);
+
+    return APR_SUCCESS;
+
+}
+
+/**
+ * Remove an RFC2109 compliant cookie.
+ *
+ * @param r The request
+ * @param name The name of the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_remove(request_rec * r, const char *name)
+{
+
+    /* create RFC2109 compliant cookie */
+    char *rfc2109 = apr_pstrcat(r->pool, name, "=;",
+                                CLEAR_ATTRS, NULL);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX
+                  "user '%s' removed cookie: '%s'", r->user, rfc2109);
+    apr_table_addn(r->headers_out, SET_COOKIE, rfc2109);
+
+    return APR_SUCCESS;
+
+}
+
+/**
+ * Remove an RFC2965 compliant cookie.
+ *
+ * @param r The request
+ * @param name2 The name of the cookie.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_remove2(request_rec * r, const char *name2)
+{
+
+    /* create RFC2965 compliant cookie */
+    char *rfc2965 = apr_pstrcat(r->pool, name2, "=;",
+                                CLEAR_ATTRS, NULL);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, LOG_PREFIX
+                  "user '%s' removed cookie2: '%s'", r->user, rfc2965);
+    apr_table_addn(r->headers_out, SET_COOKIE2, rfc2965);
+
+    return APR_SUCCESS;
+
+}
+
+/* Iterate through the cookies, isolate our cookie and then remove it.
+ *
+ * If our cookie appears two or more times, but with different values,
+ * remove it twice and set the duplicated flag to true. Remove any
+ * $path or other attributes following our cookie if present. If we end
+ * up with an empty cookie, remove the whole header.
+ */
+static int extract_cookie_line(ap_cookie_do * v, const char *key, const char *val)
+{
+    char *last1, *last2;
+    char *cookie = apr_pstrdup(v->r->pool, val);
+    const char *name = apr_pstrcat(v->r->pool, v->name ? v->name : "", "=", NULL);
+    size_t len = strlen(name);
+    char *new_cookie = "";
+    const char *comma = ",";
+    char *next1;
+    const char *semi = ";";
+    char *next2;
+    const char *sep = "";
+    int cookies = 0;
+
+    /* find the cookie called name */
+    int eat = 0;
+    next1 = apr_strtok(cookie, comma, &last1);
+    while (next1) {
+        next2 = apr_strtok(next1, semi, &last2);
+        while (next2) {
+            char *trim = next2;
+            while (apr_isspace(*trim)) {
+                trim++;
+            }
+            if (!strncmp(trim, name, len)) {
+                if (v->encoded) {
+                    if (strcmp(v->encoded, trim + len)) {
+                        v->duplicated = 1;
+                    }
+                }
+                v->encoded = apr_pstrdup(v->r->pool, trim + len);
+                eat = 1;
+            }
+            else {
+                if (*trim != '$') {
+                    cookies++;
+                    eat = 0;
+                }
+                if (!eat) {
+                    new_cookie = apr_pstrcat(v->r->pool, new_cookie, sep, next2, NULL);
+                }
+            }
+            next2 = apr_strtok(NULL, semi, &last2);
+            sep = semi;
+        }
+
+        next1 = apr_strtok(NULL, comma, &last1);
+        sep = comma;
+    }
+
+    /* any cookies left over? */
+    if (cookies) {
+        apr_table_addn(v->new_cookies, key, new_cookie);
+    }
+
+    return 1;
+}
+
+/**
+ * Read a cookie called name, placing its value in val.
+ *
+ * Both the Cookie and Cookie2 headers are scanned for the cookie.
+ *
+ * If the cookie is duplicated, this function returns APR_EGENERAL. If found,
+ * and if remove is non zero, the cookie will be removed from the headers, and
+ * thus kept private from the backend.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_read(request_rec * r, const char *name, const char **val,
+                                        int remove)
+{
+
+    ap_cookie_do v;
+    v.r = r;
+    v.encoded = NULL;
+    v.new_cookies = apr_table_make(r->pool, 10);
+    v.duplicated = 0;
+    v.name = name;
+
+    apr_table_do((int (*) (void *, const char *, const char *))
+                 extract_cookie_line, (void *) &v, r->headers_in,
+                 "Cookie", "Cookie2", NULL);
+    if (v.duplicated) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, LOG_PREFIX
+         "client submitted cookie '%s' more than once: %s", v.name, r->uri);
+        return APR_EGENERAL;
+    }
+
+    /* remove our cookie(s), and replace them */
+    if (remove) {
+        apr_table_unset(r->headers_in, "Cookie");
+        apr_table_unset(r->headers_in, "Cookie2");
+        r->headers_in = apr_table_overlay(r->pool, r->headers_in, v.new_cookies);
+    }
+
+    *val = v.encoded;
+
+    return APR_SUCCESS;
+
+}
+
+/**
+ * Sanity check a given string that it exists, is not empty,
+ * and does not contain the special characters '=', ';' and '&'.
+ *
+ * It is used to sanity check the cookie names.
+ */
+AP_DECLARE(apr_status_t) ap_cookie_check_string(const char *string)
+{
+    if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&') ||
+        ap_strchr_c(string, ';')) {
+        return APR_EGENERAL;
+    }
+    return APR_SUCCESS;
+}



Mime
View raw message