Added support for httpOnly flag for session extension and cookie setting

Ilia Alshanetsky · Ilia Alshanetsky · commit e5fe441cbd20 · 2006-08-10T13:50:56.000Z
functions.

# Original patch by Scott MacVicar
diff --git a/NEWS b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Aug 2006, PHP 5.2.0RC2
+- Added support for httpOnly flag for session extension and cookie setting
+  functions. (Scott MacVicar, Ilia)
 - Added version specific registry keys to allow different configurations for
   different php version. (Richard, Dmitry)
 - In addition to path to php.ini, PHPRC now may specify full file name. (Dmitry)
diff --git a/ext/session/php_session.h b/ext/session/php_session.h
@@ -103,6 +103,7 @@ typedef struct _php_ps_globals {
 	char *cookie_path;
 	char *cookie_domain;
 	zend_bool  cookie_secure;
+	zend_bool  cookie_httponly;
 	ps_module *mod;
 	void *mod_data;
 	php_session_status session_status;
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -165,6 +165,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateString, cookie_path,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateString, cookie_domain,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "",          PHP_INI_ALL, OnUpdateBool,   cookie_secure,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "",          PHP_INI_ALL, OnUpdateBool,   cookie_httponly,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateBool,   use_cookies,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0",         PHP_INI_ALL, OnUpdateBool,   use_only_cookies,   php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,    ps_globals)
@@ -1012,6 +1013,7 @@ static int php_session_cache_limiter(TSRMLS_D)
 #define COOKIE_PATH		"; path="
 #define COOKIE_DOMAIN	"; domain="
 #define COOKIE_SECURE	"; secure"
+#define COOKIE_HTTPONLY	"; HttpOnly"
 
 static void php_session_send_cookie(TSRMLS_D)
 {
@@ -1065,6 +1067,10 @@ static void php_session_send_cookie(TSRMLS_D)
 		smart_str_appends(&ncookie, COOKIE_SECURE);
 	}
 
+	if (PS(cookie_httponly)) {
+		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
+	}
+
 	smart_str_0(&ncookie);
 	
 	/*	'replace' must be 0 here, else a previous Set-Cookie
@@ -1296,13 +1302,13 @@ static zend_bool php_session_destroy(TSRMLS_D)
    Set session cookie parameters */
 PHP_FUNCTION(session_set_cookie_params)
 {
-	zval **lifetime, **path, **domain, **secure;
+	zval **lifetime, **path, **domain, **secure,  **httponly;
 
 	if (!PS(use_cookies))
 		return;
 
-	if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 ||
-		zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure) == FAILURE)
+	if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
+		zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure, &httponly) == FAILURE)
 		WRONG_PARAM_COUNT;
 
 	convert_to_string_ex(lifetime);
@@ -1319,6 +1325,10 @@ PHP_FUNCTION(session_set_cookie_params)
 				convert_to_long_ex(secure);
 				zend_alter_ini_entry("session.cookie_secure", sizeof("session.cookie_secure"), Z_BVAL_PP(secure)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
 			}
+			    if (ZEND_NUM_ARGS() > 4) {
+			    	    convert_to_long_ex(httponly);
+				    zend_alter_ini_entry("session.cookie_httponly", sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+			    }
 		}
 	}
 }
@@ -1338,6 +1348,7 @@ PHP_FUNCTION(session_get_cookie_params)
 	add_assoc_string(return_value, "path", PS(cookie_path), 1);
 	add_assoc_string(return_value, "domain", PS(cookie_domain), 1);
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
+	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
 }
 /* }}} */
 
diff --git a/ext/standard/head.c b/ext/standard/head.c
@@ -60,7 +60,7 @@ PHPAPI int php_header(TSRMLS_D)
 }
 
 
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC)
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode, int httponly TSRMLS_DC)
 {
 	char *cookie, *encoded_value = NULL;
 	int len=sizeof("Set-Cookie: ");
@@ -131,6 +131,9 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 	if (secure) {
 		strcat(cookie, "; secure");
 	}
+	if (httponly) {
+		strcat(cookie, "; httponly");
+	}
 
 	ctr.line = cookie;
 	ctr.line_len = strlen(cookie);
@@ -142,45 +145,45 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 
 
 /* php_set_cookie(name, value, expires, path, domain, secure) */
-/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* {{{ proto bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure[, bool httponly]]]]]])
    Send a cookie */
 PHP_FUNCTION(setcookie)
 {
 	char *name, *value = NULL, *path = NULL, *domain = NULL;
 	long expires = 0;
-	zend_bool secure = 0;
+	zend_bool secure = 0, httponly = 0;
 	int name_len, value_len, path_len, domain_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
 							  &name_len, &value, &value_len, &expires, &path,
-							  &path_len, &domain, &domain_len, &secure) == FAILURE) {
+							  &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
 		return;
 	}
 
-	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 1 TSRMLS_CC) == SUCCESS) {
+	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 1, httponly TSRMLS_CC) == SUCCESS) {
 		RETVAL_TRUE;
 	} else {
 		RETVAL_FALSE;
 	}
 }
 /* }}} */
 
-/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure]]]]])
+/* {{{ proto bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure[, bool httponly]]]]]])
    Send a cookie with no url encoding of the value */
 PHP_FUNCTION(setrawcookie)
 {
 	char *name, *value = NULL, *path = NULL, *domain = NULL;
 	long expires = 0;
-	zend_bool secure = 0;
+	zend_bool secure = 0, httponly = 0;
 	int name_len, value_len, path_len, domain_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssb", &name,
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|slssbb", &name,
 							  &name_len, &value, &value_len, &expires, &path,
-							  &path_len, &domain, &domain_len, &secure) == FAILURE) {
+							  &path_len, &domain, &domain_len, &secure, &httponly) == FAILURE) {
 		return;
 	}
 
-	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 0 TSRMLS_CC) == SUCCESS) {
+	if (php_setcookie(name, name_len, value, value_len, expires, path, path_len, domain, domain_len, secure, 0, httponly TSRMLS_CC) == SUCCESS) {
 		RETVAL_TRUE;
 	} else {
 		RETVAL_FALSE;
diff --git a/ext/standard/head.h b/ext/standard/head.h
@@ -29,6 +29,6 @@ PHP_FUNCTION(headers_sent);
 PHP_FUNCTION(headers_list);
 
 PHPAPI int php_header(TSRMLS_D);
-PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode TSRMLS_DC);
+PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, time_t expires, char *path, int path_len, char *domain, int domain_len, int secure, int url_encode, int httponly TSRMLS_DC);
 
 #endif
diff --git a/php.ini-dist b/php.ini-dist
@@ -915,6 +915,9 @@ session.cookie_path = /
 ; The domain for which the cookie is valid.
 session.cookie_domain =
 
+; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
+session.cookie_httponly = 
+
 ; Handler used to serialize data.  php is the standard serializer of PHP.
 session.serialize_handler = php
 
diff --git a/php.ini-recommended b/php.ini-recommended
@@ -970,6 +970,9 @@ session.cookie_path = /
 ; The domain for which the cookie is valid.
 session.cookie_domain =
 
+; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
+session.cookie_httponly = 
+
 ; Handler used to serialize data.  php is the standard serializer of PHP.
 session.serialize_handler = php
 
