summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRobert Newson <rnewson@apache.org>2011-06-03 11:30:05 +0000
committerRobert Newson <rnewson@apache.org>2011-06-03 11:30:05 +0000
commit51b27cd943b38c3b6e0e9c25915ee3aa4f092c9a (patch)
treeadc50fb2d1ed60de8c3f528f4d311479ba666199 /src
parent79f3866adc9289e66b6092e4bdda3198369e09e4 (diff)
set HttpOnly on auth cookies on SSL.
git-svn-id: https://svn.apache.org/repos/asf/couchdb/branches/1.1.x@1130996 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'src')
-rw-r--r--src/couchdb/couch_httpd_auth.erl11
1 files changed, 6 insertions, 5 deletions
diff --git a/src/couchdb/couch_httpd_auth.erl b/src/couchdb/couch_httpd_auth.erl
index 155865e5..9f6ed18a 100644
--- a/src/couchdb/couch_httpd_auth.erl
+++ b/src/couchdb/couch_httpd_auth.erl
@@ -231,7 +231,7 @@ cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
Hash = crypto:sha_mac(Secret, SessionData),
mochiweb_cookies:cookie("AuthSession",
couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)),
- [{path, "/"}, cookie_scheme(Req)]).
+ [{path, "/"}] ++ cookie_scheme(Req)).
hash_password(Password, Salt) ->
?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
@@ -292,7 +292,7 @@ handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) ->
]});
_Else ->
% clear the session
- Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
+ Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}] ++ cookie_scheme(Req)),
send_json(Req, 401, [Cookie], {[{error, <<"unauthorized">>},{reason, <<"Name or password is incorrect.">>}]})
end;
% get user info
@@ -322,7 +322,7 @@ handle_session_req(#httpd{method='GET', user_ctx=UserCtx}=Req) ->
end;
% logout by deleting the session
handle_session_req(#httpd{method='DELETE'}=Req) ->
- Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}, cookie_scheme(Req)]),
+ Cookie = mochiweb_cookies:cookie("AuthSession", "", [{path, "/"}] ++ cookie_scheme(Req)),
{Code, Headers} = case couch_httpd:qs_value(Req, "next", nil) of
nil ->
{200, [Cookie]};
@@ -353,7 +353,8 @@ make_cookie_time() ->
NowMS * 1000000 + NowS.
cookie_scheme(#httpd{mochi_req=MochiReq}) ->
+ [{http_only, true}] ++
case MochiReq:get(scheme) of
- http -> {http_only, true};
- https -> {secure, true}
+ http -> [];
+ https -> [{secure, true}]
end.