From 922f89e86245d6653fee4d97fd82168f73620189 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 8 Jul 2009 20:44:20 +0000 Subject: Set domain and path and secure properties of cookie correctly. --- module/mod_auth_singleid.c | 43 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 9 deletions(-) diff --git a/module/mod_auth_singleid.c b/module/mod_auth_singleid.c index 94a39da..203b40f 100644 --- a/module/mod_auth_singleid.c +++ b/module/mod_auth_singleid.c @@ -95,9 +95,12 @@ typedef struct sid_session { * Per directory configuration. */ typedef struct sid_context { - const char *trust_root; + const char *realm_uri; const char *identifier; const char *cookie_name; + const char *cookie_domain; + const char *cookie_path; + int cookie_secure; int user_match; ap_regex_t *converter; sid_storage_t *store; @@ -349,17 +352,33 @@ static const char* set_identifier (cmd_parms* cmd, void* config, const char* val) { sid_context_t *ctx = config; + if (!ap_is_url (val)) + return "Not a valid URL in SingleIdentifier"; ctx->identifier = apr_pstrdup (cmd->pool, val); return NULL; } static const char* -set_trust_root (cmd_parms* cmd, void* config, const char* val) +set_realm (cmd_parms* cmd, void* config, const char* val) { sid_context_t *ctx = config; - if (!ap_is_url (val)) - return "Not a valid URL in SingleTrustRoot"; - ctx->trust_root = apr_pstrdup (cmd->pool, val); + apr_uri_t uri; + + if (apr_uri_parse (cmd->pool, val, &uri) != APR_SUCCESS) + return "Not a valid URL for SingleRealm"; + + if (uri.hostname && strchr (uri.hostname, '.')) + ctx->cookie_domain = uri.hostname; + + if (uri.path && uri.path[0]) + ctx->cookie_path = uri.path; + else + ctx->cookie_path = "/"; + + if (uri.scheme && strcasecmp (uri.scheme, "https") == 0) + ctx->cookie_secure = 1; + + ctx->realm_uri = apr_pstrdup (cmd->pool, val); return NULL; } @@ -495,8 +514,8 @@ set_attribute (cmd_parms *cmd, void *config, const char *val) static const command_rec command_table[] = { AP_INIT_TAKE1 ("SingleIdentifier", set_identifier, NULL, OR_AUTHCFG, "The OpenID identifier we should perform ID selection on when authenticating" ), - AP_INIT_TAKE1 ("SingleTrustRoot", set_trust_root, NULL, OR_AUTHCFG, - "The OpenID trust root of this site."), + AP_INIT_TAKE1 ("SingleRealm", set_realm, NULL, OR_AUTHCFG, + "The OpenID realm (ie: trust root) of this site."), AP_INIT_TAKE1 ("SingleCache", set_cache_size, NULL, OR_AUTHCFG, "Enable and optionally set the size of the OpenID association cache"), AP_INIT_TAKE1 ("SingleCookieName", set_cookie_name, NULL, OR_AUTHCFG, @@ -681,7 +700,13 @@ session_send_info (sid_context_t *ctx, request_rec *r, sid_session_t *sess) sig = session_create_sig (r->pool, payload); /* Build up the full cookie spec */ - cookie = apr_psprintf (r->pool, "%s=%s %s; httponly", ctx->cookie_name, sig, payload); + cookie = apr_psprintf (r->pool, "%s=%s %s; httponly%s%s%s%s%s", + ctx->cookie_name, sig, payload, + ctx->cookie_domain ? "; domain=" : "", + ctx->cookie_domain ? ctx->cookie_domain : "", + ctx->cookie_path ? "; path=" : "", + ctx->cookie_path ? ctx->cookie_path : "", + ctx->cookie_secure ? "; secure" : ""); apr_table_addn (r->err_headers_out, "Set-Cookie", cookie); } @@ -969,7 +994,7 @@ hook_authenticate (request_rec* r) /* Allocate a new empty session info */ if (sess == NULL) { /* Do the OpenID magic */ - sid_consumer_authenticate (&req, ctx->store, ctx->trust_root, + sid_consumer_authenticate (&req, ctx->store, ctx->realm_uri, ctx->identifier, ctx->attributes); authenticated = 1; sess = req.sess; -- cgit v1.2.3