Bug 60908 - Add expires parameters in Apache-issued cookies
Summary: Add expires parameters in Apache-issued cookies
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2017-03-24 04:33 UTC by manu
Modified: 2017-03-24 04:36 UTC (History)
0 users



Attachments
Add expires parameters in Apache-issued cookies (1.59 KB, patch)
2017-03-24 04:33 UTC, manu
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description manu 2017-03-24 04:33:21 UTC
Created attachment 34872 [details]
Add expires parameters in Apache-issued cookies

ap_cookie_write() sets a cookie with an optional max-age parameter. Unfortunately, Microsoft Internet Explorer and Edge browsers do not support max-age and will only consider the expires property.

The attached patch adds an expires property matching max-age, so that cookies set with ap_cookie_write() behave the same way on all browsers.
Comment 1 manu 2017-03-24 04:34:20 UTC
Comment on attachment 34872 [details]
Add expires parameters in Apache-issued cookies

>Index: server/util_cookies.c
>===================================================================
>--- server/util_cookies.c	(revision 1788360)
>+++ server/util_cookies.c	(working copy)
>@@ -35,7 +35,8 @@
>  * @param val The value to place in the cookie.
>  * @param attrs The string containing additional cookie attributes. If NULL, the
>  *              DEFAULT_ATTRS will be used.
>- * @param maxage If non zero, a Max-Age header will be added to the cookie.
>+ * @param maxage If non zero, Max-Age and derived Expires header will be 
>+                 added to the cookie.
>  */
> AP_DECLARE(apr_status_t) ap_cookie_write(request_rec * r, const char *name, const char *val,
>                                          const char *attrs, long maxage, ...)
>@@ -49,7 +50,12 @@
>     /* handle expiry */
>     buffer = "";
>     if (maxage) {
>+        char expires[APR_RFC822_DATE_LEN];
>+
>         buffer = apr_pstrcat(r->pool, "Max-Age=", apr_ltoa(r->pool, maxage), ";", NULL);
>+
>+        if (apr_rfc822_date(expires, apr_time_now() + apr_time_from_sec(maxage)) == APR_SUCCESS)
>+            buffer = apr_pstrcat(r->pool, buffer, "Expires=", expires, ";", NULL);
>     }
> 
>     /* create RFC2109 compliant cookie */
>@@ -124,6 +130,7 @@
> 
>     /* create RFC2109 compliant cookie */
>     const char *rfc2109 = apr_pstrcat(r->pool, name, "=;Max-Age=0;",
>+                                "Expires=Thu, 01-Jan-1970 01:00:00 GMT;",
>                                 attrs ? attrs : CLEAR_ATTRS, NULL);
>     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00009) LOG_PREFIX
>                   "user '%s' removed cookie: '%s'", r->user, rfc2109);