Hello,
>Jani: Provide the patch against CVS HEAD branch.
You can find the patches for httpOnly session cookies against the PHP5
CVS HEAD in the attachment.
Now also included is support for httpOnly cookies for PHP functions
setcookie() and setrawcookie().
bool setcookie ( string name [, string value [, int expire [, string path [,
string domain [, bool secure [, bool httponly]]]]] )
bool setrawcookie ( string name [, string value [, int expire [, string path [,
string domain [, bool secure [, bool httponly]]]]] )
Default value for httponly is 0.
> Steven: IE on Mac fails to recognize such cookies. You will have to
code around this browser bug.
An easy hack around this is to identify that browser by use of
browscap.ini and then code something like this for session cookies:
if(IE-MAC) {
session_set_cookie_params(ini_get("session.cookie_lifetime"),ini_get("session.cookie_path"),ini_get("session.cookie_domain"),ini_get("session.cookie_secure"),0);
}
session_start();
Jochen
[ext/session/session.c.patch ; ext/session/php_session.h.patch ;
ext/standard/head.c.patch ; ext/standard/head.h.patch]
--- /php/php5-org/ext/session/php_session.h 2005-06-23 22:54:12.000000000 +0200
+++ php_session.h 2005-06-23 22:55:45.000000000 +0200
@@ -103,6 +103,7 @@
char *cookie_path;
char *cookie_domain;
zend_bool cookie_secure;
+ zend_bool cookie_httponly;
ps_module *mod;
void *mod_data;
php_session_status session_status;
--- /php/php5-org/ext/session/session.c 2005-06-23 22:54:12.000000000 +0200
+++ session.c 2005-06-24 00:35:01.000000000 +0200
@@ -164,6 +164,7 @@
STD_PHP_INI_ENTRY("session.cookie_path", "/", PHP_INI_ALL, OnUpdateString, cookie_path, php_ps_globals, ps_globals)
STD_PHP_INI_ENTRY("session.cookie_domain", "", PHP_INI_ALL, OnUpdateString, cookie_domain, php_ps_globals, ps_globals)
STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals)
+ STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals)
STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals)
STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
@@ -987,6 +988,7 @@
#define COOKIE_PATH "; path="
#define COOKIE_DOMAIN "; domain="
#define COOKIE_SECURE "; secure"
+#define COOKIE_HTTPONLY "; httponly"
static void php_session_send_cookie(TSRMLS_D)
{
@@ -1039,6 +1041,11 @@
if (PS(cookie_secure)) {
smart_str_appends(&ncookie, COOKIE_SECURE);
}
+
+ if (PS(cookie_httponly)) {
+ smart_str_appends(&ncookie, COOKIE_HTTPONLY);
+ }
+
smart_str_0(&ncookie);
@@ -1264,17 +1271,17 @@
}
-/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure]]])
+/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure [, bool httponly]]]])
Set session cookie parameters */
PHP_FUNCTION(session_set_cookie_params)
{
- zval **lifetime, **path, **domain, **secure;
+ zval **lifetime, **path, **domain, **secure, **httponly;
if (!PS(use_cookies))
return;
- if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 ||
- zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure) == FAILURE)
+ if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
+ zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure, &httponly) == FAILURE)
WRONG_PARAM_COUNT;
convert_to_string_ex(lifetime);
@@ -1291,6 +1298,10 @@
convert_to_long_ex(secure);
zend_alter_ini_entry("session.cookie_secure", sizeof("session.cookie_secure"), Z_BVAL_PP(secure)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
}
+ if (ZEND_NUM_ARGS() > 4) {
+ convert_to_long_ex(httponly);
+ zend_alter_ini_entry("session.cookie_httponly", sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+ }
}
}
}
@@ -1310,6 +1321,8 @@
add_assoc_string(return_value, "path", PS(cookie_path), 1);
add_assoc_string(return_value, "domain", PS(cookie_domain), 1);
add_assoc_bool(return_value, "secure", PS(cookie_secure));
+ add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
+
}
/* }}} */
--- /php/php5-org/ext/standard/head.c 2005-06-23 22:54:12.000000000 +0200
+++ head.c 2005-06-23 23:27:53.000000000 +0200
@@ -59,7 +59,7 @@
}
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC)
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int httponly, int url_encode TSRMLS_DC)
{
char *cookie, *encoded_value = NULL;
int len=sizeof("Set-Cookie: ");
@@ -131,6 +131,9 @@
if (secure) {
strcat(cookie, "; secure");
}
+ if (httponly) {
+ strcat(cookie, "; httponly");
+ }
ctr.line = cookie;
ctr.line_len = strlen(cookie);
@@ -141,23 +144,23 @@
}
-/* php_set_cookie(name, value, expires, path, domain, secure) */
-/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* php_set_cookie(name, value, expires, path, domain, secure, httponly) */
+/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure [, bool httponly]]]]]])
Send a cookie */
PHP_FUNCTION(setcookie)
{
char *name, *value = NULL, *path = NULL, *domain = NULL;
long expires = 0;
- zend_bool secure = 0;
+ zend_bool secure = 0, httponly = 0;
int name_len, value_len, path_len, domain_len;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
&name_len, &value, &value_len, &expires, &path,
- &path_len, &domain, &domain_len, &secure) == FAILURE) {
+ &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
return;
}
- if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 1 TSRMLS_CC) == SUCCESS) {
+ if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, httponly, 1 TSRMLS_CC) == SUCCESS) {
RETVAL_TRUE;
} else {
RETVAL_FALSE;
@@ -165,22 +168,22 @@
}
/* }}} */
-/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure [, bool httponly]]]]]])
Send a cookie with no url encoding of the value */
PHP_FUNCTION(setrawcookie)
{
char *name, *value = NULL, *path = NULL, *domain = NULL;
long expires = 0;
- zend_bool secure = 0;
+ zend_bool secure = 0, httponly=0;
int name_len, value_len, path_len, domain_len;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
&name_len, &value, &value_len, &expires, &path,
- &path_len, &domain, &domain_len, &secure) == FAILURE) {
+ &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
return;
}
- if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 0 TSRMLS_CC) == SUCCESS) {
+ if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, httponly, 0 TSRMLS_CC) == SUCCESS) {
RETVAL_TRUE;
} else {
RETVAL_FALSE;
--- /php/php5-org/ext/standard/head.h 2005-06-23 22:54:12.000000000 +0200
+++ head.h 2005-06-23 23:28:26.000000000 +0200
@@ -29,6 +29,6 @@
PHP_FUNCTION(headers_list);
PHPAPI int php_header(TSRMLS_D);
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC);
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int httponly, int url_encode TSRMLS_DC);
#endif
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
