Re: [Cgi-session-user] [Fwd: Re: CGI Session not support HTTPONLY]
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] [Fwd: Re: CGI Session not support HTTPONLY]
|
From: Ron S. <ro...@sa...> - 2009-09-05 00:35:19
|
Hi Folks
On Fri, 2009-09-04 at 09:22 -0400, Mark Stosberg wrote:
> > > I'dont really remember, but a I'think the code look like this:
> > >
> > > sub is_httponly { return defined($_[0]->dataref) ?
> > > $_[0]->dataref->{_HTTPONLY}: 0 }
> > >
> > > sub is_secure { return defined($_[0]->dataref) ?
> > > $_[0]->dataref->{_SECURE}: 0 }
>
> I haven't looked at this closely, but my hope is that there is not a not need
> for CGI::Session to add two new methods for every attribute that exists in CGI::Cookie.
> ( Example: httponly() and is_httponly(). )
Agreed.
> I would hope there is a design where can do the minimum amount possible in our cookie() method, and pass everything on through to CGI::Cookie.
Miguel has sent me his version of Session.pm.
Here's the diff between the soon-to-be-released 4.43 and his 4.42:
ron@zoe:~/repos/cgi-session$ diff lib/CGI/Session.pm ~/Session.pm
10c10
< $CGI::Session::VERSION = '4.43';
---
> $CGI::Session::VERSION = '4.42';
19a20,44
>
> #Added
> sub httponly {
> my $self = shift;
> my $httponly = shift || 0;
>
> my $dataref = $self->{_DATA};
> $dataref->{_HTTPONLY} = $httponly;
> $self->_set_status( STATUS_MODIFIED );
>
> return $self;
> }
>
> #Added
> sub secure {
> my $self = shift;
> my $secure = shift || 0;
>
> my $dataref = $self->{_DATA};
> $dataref->{_SECURE} = $secure;
> $self->_set_status( STATUS_MODIFIED );
>
> return $self;
> }
>
89a115
> $dataref->{_HTTPONLY} = 1;
104c130,134
< sub is_expired { $_[0]->_test_status( STATUS_EXPIRED ) }
---
> #original
> # sub is_expired { $_[0]->_test_status( STATUS_EXPIRED ) }
>
> #modified
> sub is_expired { return ( $_[0]->dataref->{_SESSION_ATIME} +
$_[0]->{_DATA}->{_SESSION_ETIME} <= time() ) ? 1 : 0 }
If you search the source for 'checking for expiration ticker' you'll see
this replacement for is_expired() repeats the code which sets
STATUS_EXPIRED, so I don't see the point of the patch.
115a146,151
> #Added
> sub is_httponly { return defined($_[0]->dataref) ?
$_[0]->dataref->{_HTTPONLY} : 0 }
>
> #Added
> sub is_secure { return defined($_[0]->dataref) ?
$_[0]->dataref->{_SECURE} : 0 }
>
335a372,374
>
> #original
> =item
352a392
> =cut
353a394,396
> #modified
> sub cookie {
> my $self = shift;
354a398,427
> my $query = $self->query();
> my $cookie= undef;
>
> if ( $self->is_expired ) {
>
> $cookie = $query->cookie( -secure=> $self->is_secure,
> -httponly=> $self->is_httponly,
> -name=> $self->name,
> -value=> $self->id,
> -expires=> '-1d', @_
> );
If the cookie has expired, would there be any need to set secure and
httponly?
> }
> elsif ( my $t = $self->expire ) {
> $cookie = $query->cookie( -secure=> $self->is_secure,
> -httponly=> $self->is_httponly,
> -name=> $self->name,
> -value=> $self->id,
> -expires=> '+' . $t . 's', @_
> );
> }
> else {
> $cookie = $query->cookie( -secure=> $self->is_secure,
> -httponly=> $self->is_httponly,
> -name=> $self->name,
> -value=> $self->id, @_
> );
> }
>
> return $cookie;
> }
643a717
> _HTTPONLY => 1,
1415c1489
< checking out the code repository. You can browse the git repository
from here:
---
> checking out the code repository. You can browse the Subversion
repository from here:
1417c1491
< http://github.com/cromedome/cgi-session/tree/master
---
> http://svn.cromedome.net/repos/CGI-Session
1419c1493
< or check out the code with:
---
> Or check it directly with C<svn> from here:
1421c1495
< git clone git://github.com/cromedome/cgi-session.git
---
> https://svn.cromedome.net/repos/CGI-Session
1473a1548
>
--
Ron Savage
ro...@sa...
http://savage.net.au/index.html
|
