Fossil

Check-in [e4b57a32]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Follow web app best practise by marking cookies as HttpOnly and, if it's over an https connection, as 'secure' so they will only be transmitted over https. Options supported by major browsers, and harmless where not supported.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | ben-security
Files: files | file ages | folders
SHA1:e4b57a32303398ac4a0d239febecb622a8edd4c0
User & Date: ben 2011-05-22 15:08:15
Context
2011-05-28
16:23
Add the X-Frame-Options: DENY header to HTTP responses, and a comment lamenting that two other helpful security headers can't really be used without breaking things. check-in: 95f04bbf user: ben tags: ben-security
2011-05-23
15:11
Merge the ben-security branch into the trunk. check-in: 474850cf user: drh tags: trunk, release
2011-05-22
15:08
Follow web app best practise by marking cookies as HttpOnly and, if it's over an https connection, as 'secure' so they will only be transmitted over https. Options supported by major browsers, and harmless where not supported. check-in: e4b57a32 user: ben tags: ben-security
14:53
When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack. check-in: fc93bfb0 user: ben tags: ben-security
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/cgi.c.

189
190
191
192
193
194
195

196



197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
*/
void cgi_set_cookie(
  const char *zName,    /* Name of the cookie */
  const char *zValue,   /* Value of the cookie.  Automatically escaped */
  const char *zPath,    /* Path cookie applies to.  NULL means "/" */
  int lifetime          /* Expiration of the cookie in seconds from now */
){

  if( zPath==0 ) zPath = g.zTop;



  if( lifetime>0 ){
    lifetime += (int)time(0);
    blob_appendf(&extraHeader,
       "Set-Cookie: %s=%t; Path=%s; expires=%z; Version=1\r\n",
        zName, zValue, zPath, cgi_rfc822_datestamp(lifetime));
  }else{
    blob_appendf(&extraHeader,
       "Set-Cookie: %s=%t; Path=%s; Version=1\r\n",
       zName, zValue, zPath);
  }
}

#if 0
/*
** Add an ETag header line
*/







>

>
>
>



|
|


|
|







189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
*/
void cgi_set_cookie(
  const char *zName,    /* Name of the cookie */
  const char *zValue,   /* Value of the cookie.  Automatically escaped */
  const char *zPath,    /* Path cookie applies to.  NULL means "/" */
  int lifetime          /* Expiration of the cookie in seconds from now */
){
  char *zSecure = "";
  if( zPath==0 ) zPath = g.zTop;
  if( g.zBaseURL!=0 && strncmp(g.zBaseURL, "https:", 6)==0 ){
    zSecure = " secure;";
  }
  if( lifetime>0 ){
    lifetime += (int)time(0);
    blob_appendf(&extraHeader,
       "Set-Cookie: %s=%t; Path=%s; expires=%z; HttpOnly;%s Version=1\r\n",
        zName, zValue, zPath, cgi_rfc822_datestamp(lifetime), zSecure);
  }else{
    blob_appendf(&extraHeader,
       "Set-Cookie: %s=%t; Path=%s; HttpOnly;%s Version=1\r\n",
       zName, zValue, zPath, zSecure);
  }
}

#if 0
/*
** Add an ETag header line
*/