webmcp

changeset 551:a0f1a4e76556

Support SameSite cookies
author jbe
date Mon Dec 09 15:54:41 2019 +0100 (2019-12-09)
parents 59d2aaa6df07
children 7e874b5227b6
files framework/env/request/set_cookie.lua
line diff
     1.1 --- a/framework/env/request/set_cookie.lua	Wed Oct 23 19:32:40 2019 +0200
     1.2 +++ b/framework/env/request/set_cookie.lua	Mon Dec 09 15:54:41 2019 +0100
     1.3 @@ -1,10 +1,11 @@
     1.4  --[[--
     1.5  request.set_cookie{
     1.6 -  name   = name,     -- name of cookie
     1.7 -  value  = value,    -- value of cookie
     1.8 -  domain = domain,   -- optional domain domain where cookie is transmitted
     1.9 -  path   = path,     -- optional path where cookie is transmitted, defaults to application base
    1.10 -  secure = secure    -- optional boolean, indicating if cookie should only be transmitted over HTTPS
    1.11 +  name     = name,     -- name of cookie
    1.12 +  value    = value,    -- value of cookie
    1.13 +  domain   = domain,   -- optional domain domain where cookie is transmitted
    1.14 +  path     = path,     -- optional path where cookie is transmitted, defaults to application base
    1.15 +  secure   = secure,   -- optional boolean, indicating if cookie should only be transmitted over HTTPS
    1.16 +  samesite = samesite  -- SameSite policy set to "strict", "lax", or "none" (all lower-case, defaults to "lax")
    1.17  }
    1.18  
    1.19  This function is similar to rocketwiki.set_cookie{...}, except that it automatically sets the path to the application base. It also sets secure=true, if the secure option is unset and the application base URL starts with "https://".
    1.20 @@ -52,5 +53,14 @@
    1.21    if args.secure then
    1.22      parts[#parts+1] = "secure"
    1.23    end
    1.24 +  if args.samesite == "strict" then
    1.25 +    parts[#parts+1] = "SameSite=Strict"
    1.26 +  elseif args.samesite == "lax" or args.samesite == nil then
    1.27 +    parts[#parts+1] = "SameSite=Lax"
    1.28 +  elseif args.samesite == "none" then
    1.29 +    parts[#parts+1] = "SameSite=None"
    1.30 +  else
    1.31 +    error("Cookie SameSite policy set to unsupported value")
    1.32 +  end
    1.33    request.add_header("Set-Cookie", table.concat(parts, "; "))
    1.34  end

Impressum / About Us