diff options
author | Robert Newson <rnewson@apache.org> | 2021-12-10 22:37:39 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-10 22:37:39 +0000 |
commit | 9ad86ae2f08d0d6f74f03e138f33e21970a1c3fb (patch) | |
tree | ebf31714f4edd626e4c6980d00d2a65784183555 | |
parent | 728f3b936b2eb7f9572ebf90d6887a3c2849f571 (diff) | |
parent | 499234d5b146f9d1d54d859f4e076922abc3a1ae (diff) | |
download | couchdb-9ad86ae2f08d0d6f74f03e138f33e21970a1c3fb.tar.gz |
Merge pull request #3869 from apache/always-send-all-cookie-attributes-3.x
Always send all cookie attributes
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 757f055f1..24a0c15ed 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -371,9 +371,18 @@ cookie_auth_cookie(Req, User, Secret, TimeStamp) -> mochiweb_cookies:cookie( "AuthSession", couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)), - [{path, "/"}] ++ cookie_scheme(Req) ++ max_age() ++ cookie_domain() ++ same_site() + cookie_attributes(Req) ). +clear_auth_cookie(Req) -> + mochiweb_cookies:cookie( + "AuthSession", "", cookie_attributes(Req) + ). + +cookie_attributes(Req) -> + Attributes = [path(), http_only(), max_age(), cookie_scheme(Req), cookie_domain(), same_site()], + lists:flatten(Attributes). + ensure_cookie_auth_secret() -> case chttpd_util:get_chttpd_auth_config("secret") of undefined -> @@ -446,9 +455,7 @@ handle_session_req(#httpd{method = 'POST', mochi_req = MochiReq} = Req, AuthModu false -> authentication_warning(Req, UserName), % clear the session - Cookie = mochiweb_cookies:cookie( - "AuthSession", "", [{path, "/"}] ++ cookie_scheme(Req) - ), + Cookie = clear_auth_cookie(Req), {Code, Headers} = case couch_httpd:qs_value(Req, "fail", nil) of nil -> @@ -505,12 +512,7 @@ handle_session_req(#httpd{method = 'GET', user_ctx = UserCtx} = Req, _AuthModule end; % logout by deleting the session handle_session_req(#httpd{method = 'DELETE'} = Req, _AuthModule) -> - Cookie = mochiweb_cookies:cookie( - "AuthSession", - "", - [{path, "/"}] ++ - cookie_domain() ++ cookie_scheme(Req) ++ same_site() - ), + Cookie = clear_auth_cookie(Req), {Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of nil -> @@ -577,12 +579,17 @@ make_cookie_time() -> {NowMS, NowS, _} = os:timestamp(), NowMS * 1000000 + NowS. +path() -> + {path, "/"}. + +http_only() -> + {http_only, true}. + cookie_scheme(#httpd{mochi_req = MochiReq}) -> - [{http_only, true}] ++ - case MochiReq:get(scheme) of - http -> []; - https -> [{secure, true}] - end. + case MochiReq:get(scheme) of + http -> []; + https -> [{secure, true}] + end. max_age() -> case |