[Bug 56734] New: mod_lua setcookie applies double-quotes to Expires and Path that break at least MSIE

Wed, 16 Jul 2014 20:43:35 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=56734

            Bug ID: 56734
           Summary: mod_lua setcookie applies double-quotes to Expires and
                    Path that break at least MSIE
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_lua
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 31824
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31824&action=edit
Patch for 2.5-HEAD /trunk, ideally backport to 2.4.x.

mod_lua setcookie applies double-quotes to Expires and Path ( e.g.
Path="/web-app"; ) that break at least MSIE.  This should not enclose the
Expires and Path in double-quotes since, although the examples in earlier
versions of HTTP Cookie RFC show double-quoted values, it's not so in the
latest RFC http://tools.ietf.org/html/rfc6265 and it does prevent the cookie
from being sent to the server in at least MSIE 9, breaking for example /web-app
session cookies.

This is related to https://issues.apache.org/bugzilla/show_bug.cgi?id=52779 .

I've attached a 2.4-HEAD patch for lua_request.c, ideally to work back to
2.4.x, and below is a work-around in Lua itself.

-- Use this setCookie instead of Apache r:setcookie.
-- Apache r:setcookie is broken where double-quotes are added to Path
function setCookie(r,c)
    local expires = ''
    if c.expires ~= nil then
        if type(c.expires) == "number" then expires = '; Expires='..
os.date("!%a, %d %b %Y %H:%M:%S GMT",c.expires)
        else expires = '; Expires='.. c.expires
        end
    else 
        expires = ''
    end

    r.err_headers_out["Set-Cookie"] = c.key ..'='.. c.value .. expires ..
        (c.domain ~= nil and '; Domain='.. c.domain or '') ..
        ((c.path ~= nil and string.len(c.path) ~= 0) and '; Path='.. c.path or
'') ..
        ((c.secure ~= nil and c.secure) and '; Secure' or '') ..
        ((c.httponly ~= nil and c.httponly) and '; HttpOnly' or '')
end

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to