diff options
| author | Yorhel <git@yorhel.nl> | 2019-09-08 12:15:30 +0200 |
|---|---|---|
| committer | Yorhel <git@yorhel.nl> | 2019-09-08 12:16:00 +0200 |
| commit | 48391aac145cf9369f7a3fdd8e26f00fa2b7cbc0 (patch) | |
| tree | 2e0aa05053f15cce38f81f9d8d93d78769b38fb3 | |
| parent | 28f18ff529fade0b87763aae75c0c261ebce2387 (diff) | |
resCookie: Add support for Max-Age and SameSite properties
| -rw-r--r-- | lib/TUWF/Response.pm | 14 | ||||
| -rw-r--r-- | lib/TUWF/Response.pod | 14 |
2 files changed, 22 insertions, 6 deletions
diff --git a/lib/TUWF/Response.pm b/lib/TUWF/Response.pm index 21e6fce..628eb4d 100644 --- a/lib/TUWF/Response.pm +++ b/lib/TUWF/Response.pm @@ -82,7 +82,7 @@ sub resHeader { # name, value, %options. # value = undef -> remove cookie, # options: -# expires, path, domain, secure, httponly +# expires, path, domain, secure, httponly, maxage, samesite sub resCookie { my $self = shift; my $name = shift; @@ -93,11 +93,13 @@ sub resCookie { my @attr = (sprintf '%s=%s', $name, defined($value)?$value:''); $o{expires} = 0 if !defined $value; - push @attr, sprintf 'expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires}; - push @attr, "path=$o{path}" if $o{path}; - push @attr, "domain=$o{domain}" if $o{domain}; - push @attr, 'secure' if $o{secure}; - push @attr, 'httponly' if $o{httponly}; + push @attr, sprintf 'Expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires}; + push @attr, "Max-Age=$o{maxage}" if defined $o{maxage}; + push @attr, "Path=$o{path}" if $o{path}; + push @attr, "Domain=$o{domain}" if $o{domain}; + push @attr, "SameSite=$o{samesite}" if $o{samesite}; + push @attr, 'Secure' if $o{secure}; + push @attr, 'HttpOnly' if $o{httponly}; $self->{_TUWF}{Res}{cookies}{$name} = join '; ', @attr; } diff --git a/lib/TUWF/Response.pod b/lib/TUWF/Response.pod index febe915..3ceb34f 100644 --- a/lib/TUWF/Response.pod +++ b/lib/TUWF/Response.pod @@ -69,6 +69,11 @@ A UNIX timestamp indicating when this cookie should expire. A value before the current C<time()> means the cookie should be immediately removed, which is equivalent to setting I<value> to undef. +=item maxage + +Number of seconds until the cookie expires. May be used instead of or together +with C<expires>. Older browsers do not support this option. + =item domain The domain name for which this cookie should be used. @@ -87,8 +92,17 @@ will only be present if the client is connected through HTTPS. Set to true to only allow the cookie to be read using HTTP. That is, disallow the cookie to be used within Javascript. +=item samesite + +Set to C<'Strict'> or C<'Lax'> to prevent this cookie to be included in +requests originating from other domains, as a measure against CSRF attacks. Set +to C<'None'> to disable such protections. + =back +For more information about the meaning and interpretation of those options, see +L<the MDN documentation|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie>. + It is possible to set defaults for these options with the L<cookie_defaults|TUWF/cookie_defaults> setting. |