aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Paprocki <robert@cryptobells.com>2016-05-31 13:41:38 -0700
committerJiale Zhi <vipcalio@gmail.com>2016-06-07 11:31:30 -0700
commit8f414390cc72da90e9a450a2127acaea247e3dda (patch)
tree3b5af925ce4c600aceaef10665378a626ebd4c8a
parentb83165199e63eec5c7e58f489eb4ac17657e7c46 (diff)
downloadlua-resty-cookie-8f414390cc72da90e9a450a2127acaea247e3dda.tar.gz
lua-resty-cookie-8f414390cc72da90e9a450a2127acaea247e3dda.tar.bz2
lua-resty-cookie-8f414390cc72da90e9a450a2127acaea247e3dda.zip
Implement support for SameSite attribute
SameSite is an update to RFC6265, allowing servers to assert that user agents should not send certain cookies along with cross-site requests. See: https://tools.ietf.org/html/draft-west-first-party-cookies-07
-rw-r--r--README.md3
-rw-r--r--lib/resty/cookie.lua13
-rw-r--r--t/sanity.t47
3 files changed, 57 insertions, 6 deletions
diff --git a/README.md b/README.md
index 5ac833d..3248285 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ Synopsis
key = "Name", value = "Bob", path = "/",
domain = "example.com", secure = true, httponly = true,
expires = "Wed, 09 Jun 2021 10:18:14 GMT", max_age = 50,
- extension = "a4334aebaec"
+ samesite = "Strict", extension = "a4334aebaec"
})
if not ok then
ngx.log(ngx.ERR, err)
@@ -122,6 +122,7 @@ syntax: ok, err = cookie_obj:set({
secure = true, httponly = true,
expires = "Wed, 09 Jun 2021 10:18:14 GMT",
max_age = 50,
+ samesite = "Strict",
extension = "a4334aebaec"
})
```
diff --git a/lib/resty/cookie.lua b/lib/resty/cookie.lua
index 11d435f..b61877e 100644
--- a/lib/resty/cookie.lua
+++ b/lib/resty/cookie.lua
@@ -8,6 +8,7 @@ local sub = string.sub
local format = string.format
local log = ngx.log
local ERR = ngx.ERR
+local WARN = ngx.WARN
local ngx_header = ngx.header
local EQUAL = byte("=")
@@ -136,6 +137,17 @@ local function bake(cookie)
if cookie["max-age"] then
cookie.max_age = cookie["max-age"]
end
+
+ if (cookie.samesite) then
+ local samesite = cookie.samesite
+
+ -- if we dont have a valid-looking attribute, ignore the attribute
+ if (samesite ~= "Strict" and samesite ~= "Lax") then
+ log(WARN, "SameSite value must be 'Strict' or 'Lax'")
+ cookie.samesite = nil
+ end
+ end
+
local str = cookie.key .. "=" .. cookie.value
.. (cookie.expires and "; Expires=" .. cookie.expires or "")
.. (cookie.max_age and "; Max-Age=" .. cookie.max_age or "")
@@ -143,6 +155,7 @@ local function bake(cookie)
.. (cookie.path and "; Path=" .. cookie.path or "")
.. (cookie.secure and "; Secure" or "")
.. (cookie.httponly and "; HttpOnly" or "")
+ .. (cookie.samesite and "; SameSite=" .. cookie.samesite or "")
.. (cookie.extension and "; " .. cookie.extension or "")
return str
end
diff --git a/t/sanity.t b/t/sanity.t
index 952b81e..cb52ae8 100644
--- a/t/sanity.t
+++ b/t/sanity.t
@@ -5,7 +5,7 @@ use Cwd qw(cwd);
repeat_each(2);
-plan tests => repeat_each() * (blocks() * 3 + 4);
+plan tests => repeat_each() * (blocks() * 3 + 6);
my $pwd = cwd();
@@ -53,8 +53,6 @@ Cookie: SID=31d4d96e407aad42; lang=en-US
SID => 31d4d96e407aad42
lang => en-US
-
-
=== TEST 2: sanity 2
--- http_config eval: $::HttpConfig
--- config
@@ -188,7 +186,7 @@ SID => foo
key = "Name", value = "Bob", path = "/",
domain = "example.com", secure = true, httponly = true,
expires = "Wed, 09 Jun 2021 10:18:14 GMT", max_age = 50,
- extension = "a4334aebaec"
+ samesite = "Strict", extension = "a4334aebaec"
})
if not ok then
ngx.log(ngx.ERR, err)
@@ -202,7 +200,7 @@ GET /t
--- no_error_log
[error]
--- response_headers
-Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; a4334aebaec
+Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; SameSite=Strict; a4334aebaec
--- response_body
Set cookie
@@ -307,3 +305,42 @@ GET /t
--- raw_response_headers_unlike: Set-Cookie: Name=Bob; Path=/\r\nSet-Cookie: Age=20\r\nSet-Cookie: Name=Bob; Path=/
--- response_body
Set cookie
+
+
+=== TEST 9: set cookie with invalid SameSite attribute
+--- http_config eval: $::HttpConfig
+--- config
+ location /t {
+ content_by_lua '
+ local ck = require "resty.cookie"
+ local cookie, err = ck:new()
+ if not cookie then
+ ngx.log(ngx.ERR, err)
+ return
+ end
+
+ local ok, err = cookie:set({
+ key = "Name", value = "Bob", path = "/",
+ domain = "example.com", secure = true, httponly = true,
+ expires = "Wed, 09 Jun 2021 10:18:14 GMT", max_age = 50,
+ samesite = "blahblah", extension = "a4334aebaec"
+ })
+ if not ok then
+ ngx.log(ngx.ERR, err)
+ return
+ end
+ ngx.say("Set cookie")
+ ';
+ }
+--- request
+GET /t
+--- no_error_log
+[error]
+--- error_log
+SameSite value must be 'Strict' or 'Lax'
+--- response_headers
+Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; a4334aebaec
+--- response_body
+Set cookie
+
+