Added config options to set the HttpOnly and SameSite directives on the session cookie.

4 years ago · 04aa46b2b0
--- a/cppcms/capi/session.h
+++ b/cppcms/capi/session.h
@@ -155,6 +155,12 @@ CPPCMS_API long long cppcms_capi_cookie_expires(cppcms_capi_cookie const *cookie

 CPPCMS_API int cppcms_capi_cookie_is_secure(cppcms_capi_cookie const *cookie);

 CPPCMS_API int cppcms_capi_cookie_is_httponly(cppcms_capi_cookie const *cookie);

 CPPCMS_API int cppcms_capi_cookie_samesite_none_defined(cppcms_capi_cookie const *cookie);
 CPPCMS_API int cppcms_capi_cookie_samesite_lax_defined(cppcms_capi_cookie const *cookie);
 CPPCMS_API int cppcms_capi_cookie_samesite_strict_defined(cppcms_capi_cookie const *cookie);

 ///
 /// @}
 ///
--- a/private/cached_settings.h
+++ b/private/cached_settings.h
@@ -142,6 +142,10 @@ namespace impl {
 				bool use_age;
 				bool use_exp;
 				bool secure;
 				bool httponly;
 				bool use_samesite_none;
 				bool use_samesite_lax;
 				bool use_samesite_strict;
 				bool remove_unknown_cookies;
 			} cookies;
 			cached_session(json::value const &v)
@@ -173,6 +177,22 @@ namespace impl {
 					cookies.use_age = cookies.use_exp = true;
 				}
 				cookies.secure = v.get("session.cookies.secure",false);
 				cookies.httponly = v.get("session.cookies.httponly", false);

 				std::string samesite = v.get("session.cookies.samesite", "");
 				cookies.use_samesite_none = false;
 				cookies.use_samesite_lax = false;
 				cookies.use_samesite_strict = false;
 				if (samesite == "none") {
 					cookies.use_samesite_none = true;
 				} else if (samesite == "lax") {
 					cookies.use_samesite_lax = true;
 				} else if (samesite == "strict") {
 					cookies.use_samesite_strict = true;
 				} else if (!samesite.empty()) {
 					BOOSTER_WARNING("cppcms") << "Invalid session.cookies.samesite"
 					  "if set should be one of 'none', 'lax', or 'strict'; defaults to unset";
 				}
 			}
 		} session;
 		struct cached_misc {
--- a/src/capi/session.cpp
+++ b/src/capi/session.cpp
@@ -108,6 +108,10 @@ struct cppcms_capi_cookie {
 	std::string path;
 	std::string domain;
 	bool secure;
 	bool httponly;
 	bool has_samesite_none;
 	bool has_samesite_lax;
 	bool has_samesite_strict;
 	bool has_expires;
 	bool has_max_age;
 	time_t expires;
@@ -121,6 +125,10 @@ struct cppcms_capi_cookie {
 		path(c.path()),
 		domain(c.domain()),
 		secure(c.secure()),
 		httponly(c.httponly()),
 		has_samesite_none(c.samesite_none()),
 		has_samesite_lax(c.samesite_lax()),
 		has_samesite_strict(c.samesite_strict()),
 		has_expires(c.expires_defined()),
 		has_max_age(c.max_age_defined()),
 		expires(c.expires()),
@@ -764,4 +772,10 @@ long long cppcms_capi_cookie_expires(cppcms_capi_cookie const *cookie) { return

 int cppcms_capi_cookie_is_secure(cppcms_capi_cookie const *cookie) { return cookie ? cookie->secure: -1; }

 int cppcms_capi_cookie_is_httponly(cppcms_capi_cookie const *cookie) { return cookie ? cookie->httponly: -1; }

 int cppcms_capi_cookie_samesite_none_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_none: -1; }
 int cppcms_capi_cookie_samesite_lax_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_lax: -1; }
 int cppcms_capi_cookie_samesite_strict_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_strict: -1; }

 } // extern "C"
--- a/src/session_interface.cpp
+++ b/src/session_interface.cpp
@@ -481,6 +481,10 @@ void session_interface::set_session_cookie(int64_t age,std::string const &data,s
 	bool use_exp = cached_settings().session.cookies.use_exp;

 	bool secure = cached_settings().session.cookies.secure;
 	bool httponly = cached_settings().session.cookies.httponly;
 	bool use_samesite_none = cached_settings().session.cookies.use_samesite_none;
 	bool use_samesite_lax = cached_settings().session.cookies.use_samesite_lax;
 	bool use_samesite_strict = cached_settings().session.cookies.use_samesite_strict;

 	http::cookie the_cookie(cookie_name,util::urlencode(data),path,domain);

@@ -501,8 +505,11 @@ void session_interface::set_session_cookie(int64_t age,std::string const &data,s
 		}
 	}


 	the_cookie.secure(secure);
 	the_cookie.httponly(httponly);
 	the_cookie.samesite_none(use_samesite_none);
 	the_cookie.samesite_lax(use_samesite_lax);
 	the_cookie.samesite_strict(use_samesite_strict);
 	
 	if(d->adapter)
 		d->adapter->set_cookie(the_cookie);