Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16888
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
To: internals@lists.php.net
Content-Type: multipart/mixed; boundary="=-93Zv02J+z/G8qjsmzqUt"
Date: Fri, 24 Jun 2005 01:19:10 +0200
Message-ID: <1119568750.15651.23.camel@mframe.test-lab>
Mime-Version: 1.0
Subject: Re: httpOnly Cookies [tiny enhancement]
From: hansper@t-online.de (Jochen Hansper)

--=-93Zv02J+z/G8qjsmzqUt
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

>Jani: Provide the patch against CVS HEAD branch.

You can find the patches for httpOnly session cookies against the PHP5
CVS HEAD in the attachment. 
Now also included is support for httpOnly cookies for PHP functions
setcookie() and setrawcookie().

bool setcookie ( string name [, string value [, int expire [, string path [, string domain [, bool secure [, bool httponly]]]]] )
bool setrawcookie ( string name [, string value [, int expire [, string path [, string domain [, bool secure [, bool httponly]]]]] )

Default value for httponly is 0.

> Steven: IE on Mac fails to recognize such cookies. You will have to
code around this browser bug.

An easy hack around this is to identify that browser by use of
browscap.ini and then code something like this for session cookies:

if(IE-MAC) {
session_set_cookie_params(ini_get("session.cookie_lifetime"),ini_get("session.cookie_path"),ini_get("session.cookie_domain"),ini_get("session.cookie_secure"),0);
}
session_start();


Jochen

[ext/session/session.c.patch ; ext/session/php_session.h.patch ; ext/standard/head.c.patch ; ext/standard/head.h.patch]







--=-93Zv02J+z/G8qjsmzqUt
Content-Disposition: attachment; filename=php_session.h.patch
Content-Type: text/x-patch; name=php_session.h.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

--- /php/php5-org/ext/session/php_session.h	2005-06-23 22:54:12.000000000 +0200
+++ php_session.h	2005-06-23 22:55:45.000000000 +0200
@@ -103,6 +103,7 @@
 	char *cookie_path;
 	char *cookie_domain;
 	zend_bool  cookie_secure;
+	zend_bool  cookie_httponly;
 	ps_module *mod;
 	void *mod_data;
 	php_session_status session_status;

--=-93Zv02J+z/G8qjsmzqUt
Content-Disposition: attachment; filename=session.c.patch
Content-Type: text/x-patch; name=session.c.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

--- /php/php5-org/ext/session/session.c	2005-06-23 22:54:12.000000000 +0200
+++ session.c	2005-06-24 00:35:01.000000000 +0200
@@ -164,6 +164,7 @@
 	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateString, cookie_path,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateString, cookie_domain,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "",          PHP_INI_ALL, OnUpdateBool,   cookie_secure,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "0",         PHP_INI_ALL, OnUpdateBool,   cookie_httponly,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateBool,   use_cookies,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0",         PHP_INI_ALL, OnUpdateBool,   use_only_cookies,   php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,    ps_globals)
@@ -987,6 +988,7 @@
 #define COOKIE_PATH		"; path="
 #define COOKIE_DOMAIN	"; domain="
 #define COOKIE_SECURE	"; secure"
+#define COOKIE_HTTPONLY "; httponly"
 
 static void php_session_send_cookie(TSRMLS_D)
 {
@@ -1039,6 +1041,11 @@
 	if (PS(cookie_secure)) {
 		smart_str_appends(&ncookie, COOKIE_SECURE);
 	}
+	
+	if (PS(cookie_httponly)) {
+		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
+	}
+
 
 	smart_str_0(&ncookie);
 	
@@ -1264,17 +1271,17 @@
 }
 
 
-/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure]]])
+/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure [, bool httponly]]]])
    Set session cookie parameters */
 PHP_FUNCTION(session_set_cookie_params)
 {
-	zval **lifetime, **path, **domain, **secure;
+	zval **lifetime, **path, **domain, **secure, **httponly;
 
 	if (!PS(use_cookies))
 		return;
 
-	if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 ||
-		zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure) == FAILURE)
+	if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
+		zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure, &httponly) == FAILURE)
 		WRONG_PARAM_COUNT;
 
 	convert_to_string_ex(lifetime);
@@ -1291,6 +1298,10 @@
 				convert_to_long_ex(secure);
 				zend_alter_ini_entry("session.cookie_secure", sizeof("session.cookie_secure"), Z_BVAL_PP(secure)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
 			}
+				if (ZEND_NUM_ARGS() > 4) {
+				convert_to_long_ex(httponly);
+				zend_alter_ini_entry("session.cookie_httponly", sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+			}
 		}
 	}
 }
@@ -1310,6 +1321,8 @@
 	add_assoc_string(return_value, "path", PS(cookie_path), 1);
 	add_assoc_string(return_value, "domain", PS(cookie_domain), 1);
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
+	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
+
 }
 /* }}} */
 

--=-93Zv02J+z/G8qjsmzqUt
Content-Disposition: attachment; filename=head.c.patch
Content-Type: text/x-patch; name=head.c.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

--- /php/php5-org/ext/standard/head.c	2005-06-23 22:54:12.000000000 +0200
+++ head.c	2005-06-23 23:27:53.000000000 +0200
@@ -59,7 +59,7 @@
 }
 
 
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC)
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int httponly, int url_encode TSRMLS_DC)
 {
 	char *cookie, *encoded_value = NULL;
 	int len=sizeof("Set-Cookie: ");
@@ -131,6 +131,9 @@
 	if (secure) {
 		strcat(cookie, "; secure");
 	}
+	if (httponly) {
+		strcat(cookie, "; httponly");		
+	}
 
 	ctr.line = cookie;
 	ctr.line_len = strlen(cookie);
@@ -141,23 +144,23 @@
 }
 
 
-/* php_set_cookie(name, value, expires, path, domain, secure) */
-/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* php_set_cookie(name, value, expires, path, domain, secure, httponly) */
+/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure [, bool httponly]]]]]])
    Send a cookie */
 PHP_FUNCTION(setcookie)
 {
 	char *name, *value = NULL, *path = NULL, *domain = NULL;
 	long expires = 0;
-	zend_bool secure = 0;
+	zend_bool secure = 0, httponly = 0;
 	int name_len, value_len, path_len, domain_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
 							  &name_len, &value, &value_len, &expires, &path,
-							  &path_len, &domain, &domain_len, &secure) == FAILURE) {
+							  &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
 		return;
 	}
 
-	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 1 TSRMLS_CC) == SUCCESS) {
+	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, httponly, 1 TSRMLS_CC) == SUCCESS) {
 		RETVAL_TRUE;
 	} else {
 		RETVAL_FALSE;
@@ -165,22 +168,22 @@
 }
 /* }}} */
 
-/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure [, bool httponly]]]]]])
    Send a cookie with no url encoding of the value */
 PHP_FUNCTION(setrawcookie)
 {
 	char *name, *value = NULL, *path = NULL, *domain = NULL;
 	long expires = 0;
-	zend_bool secure = 0;
+	zend_bool secure = 0, httponly=0;
 	int name_len, value_len, path_len, domain_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
 							  &name_len, &value, &value_len, &expires, &path,
-							  &path_len, &domain, &domain_len, &secure) == FAILURE) {
+							  &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
 		return;
 	}
 
-	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 0 TSRMLS_CC) == SUCCESS) {
+	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, httponly, 0 TSRMLS_CC) == SUCCESS) {
 		RETVAL_TRUE;
 	} else {
 		RETVAL_FALSE;

--=-93Zv02J+z/G8qjsmzqUt
Content-Disposition: attachment; filename=head.h.patch
Content-Type: text/x-patch; name=head.h.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

--- /php/php5-org/ext/standard/head.h	2005-06-23 22:54:12.000000000 +0200
+++ head.h	2005-06-23 23:28:26.000000000 +0200
@@ -29,6 +29,6 @@
 PHP_FUNCTION(headers_list);
 
 PHPAPI int php_header(TSRMLS_D);
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC);
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int httponly, int url_encode TSRMLS_DC);
 
 #endif

--=-93Zv02J+z/G8qjsmzqUt--