MINOR: http: add support for "httponly" and "secure" cookie attributes
httponly This option tells haproxy to add an "HttpOnly" cookie attribute
when a cookie is inserted. This attribute is used so that a
user agent doesn't share the cookie with non-HTTP components.
Please check RFC6265 for more information on this attribute.
secure This option tells haproxy to add a "Secure" cookie attribute when
a cookie is inserted. This attribute is used so that a user agent
never emits this cookie over non-secure channels, which means
that a cookie learned with this flag will be presented only over
SSL/TLS connections. Please check RFC6265 for more information on
this attribute.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1253357..b7ca28d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1891,8 +1891,8 @@
cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
- [ postonly ] [ preserve ] [ domain <domain> ]*
- [ maxidle <idle> ] [ maxlife <life> ]
+ [ postonly ] [ preserve ] [ httponly ] [ secure ]
+ [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Enable cookie-based persistence in a backend.
May be used in sections : defaults | frontend | listen | backend
yes | no | yes | yes
@@ -1990,6 +1990,18 @@
shutdown because users will definitely leave the server after
they logout.
+ httponly This option tells haproxy to add an "HttpOnly" cookie attribute
+ when a cookie is inserted. This attribute is used so that a
+ user agent doesn't share the cookie with non-HTTP components.
+ Please check RFC6265 for more information on this attribute.
+
+ secure This option tells haproxy to add a "Secure" cookie attribute when
+ a cookie is inserted. This attribute is used so that a user agent
+ never emits this cookie over non-secure channels, which means
+ that a cookie learned with this flag will be presented only over
+ SSL/TLS connections. Please check RFC6265 for more information on
+ this attribute.
+
domain This option allows to specify the domain at which a cookie is
inserted. It requires exactly one parameter: a valid domain
name. If the domain begins with a dot, the browser is allowed to
diff --git a/include/types/proxy.h b/include/types/proxy.h
index 1da0f9d..53dd96d 100644
--- a/include/types/proxy.h
+++ b/include/types/proxy.h
@@ -169,6 +169,8 @@
#define PR_CK_NOC 0x00000010 /* add a 'Cache-control' header with the cookie */
#define PR_CK_POST 0x00000020 /* don't insert cookies for requests other than a POST */
#define PR_CK_PSV 0x00000040 /* cookie ... preserve */
+#define PR_CK_HTTPONLY 0x00000080 /* emit the "HttpOnly" attribute */
+#define PR_CK_SECURE 0x00000100 /* emit the "Secure" attribute */
/* bits for sticking rules */
#define STK_IS_MATCH 0x00000001 /* match on request fetch */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index a7aade5..5f8cb96 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2161,6 +2161,12 @@
else if (!strcmp(args[cur_arg], "prefix")) {
curproxy->ck_opts |= PR_CK_PFX;
}
+ else if (!strcmp(args[cur_arg], "httponly")) {
+ curproxy->ck_opts |= PR_CK_HTTPONLY;
+ }
+ else if (!strcmp(args[cur_arg], "secure")) {
+ curproxy->ck_opts |= PR_CK_SECURE;
+ }
else if (!strcmp(args[cur_arg], "domain")) {
if (!*args[cur_arg + 1]) {
Alert("parsing [%s:%d]: '%s' expects <domain> as argument.\n",
diff --git a/src/proto_http.c b/src/proto_http.c
index 02537ff..7eeb4f6 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -5085,6 +5085,12 @@
if (t->be->cookie_domain)
len += sprintf(trash+len, "; domain=%s", t->be->cookie_domain);
+ if (t->be->ck_opts & PR_CK_HTTPONLY)
+ len += sprintf(trash+len, "; HttpOnly");
+
+ if (t->be->ck_opts & PR_CK_SECURE)
+ len += sprintf(trash+len, "; Secure");
+
if (unlikely(http_header_add_tail2(&txn->rsp, &txn->hdr_idx, trash, len) < 0))
goto return_bad_resp;