diff options
authorYorhel <>2019-09-08 12:15:30 +0200
committerYorhel <>2019-09-08 12:16:00 +0200
commit48391aac145cf9369f7a3fdd8e26f00fa2b7cbc0 (patch)
parent28f18ff529fade0b87763aae75c0c261ebce2387 (diff)
resCookie: Add support for Max-Age and SameSite properties
2 files changed, 22 insertions, 6 deletions
diff --git a/lib/TUWF/ b/lib/TUWF/
index 21e6fce..628eb4d 100644
--- a/lib/TUWF/
+++ b/lib/TUWF/
@@ -82,7 +82,7 @@ sub resHeader {
# name, value, %options.
# value = undef -> remove cookie,
# options:
-# expires, path, domain, secure, httponly
+# expires, path, domain, secure, httponly, maxage, samesite
sub resCookie {
my $self = shift;
my $name = shift;
@@ -93,11 +93,13 @@ sub resCookie {
my @attr = (sprintf '%s=%s', $name, defined($value)?$value:'');
$o{expires} = 0 if !defined $value;
- push @attr, sprintf 'expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires};
- push @attr, "path=$o{path}" if $o{path};
- push @attr, "domain=$o{domain}" if $o{domain};
- push @attr, 'secure' if $o{secure};
- push @attr, 'httponly' if $o{httponly};
+ push @attr, sprintf 'Expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires};
+ push @attr, "Max-Age=$o{maxage}" if defined $o{maxage};
+ push @attr, "Path=$o{path}" if $o{path};
+ push @attr, "Domain=$o{domain}" if $o{domain};
+ push @attr, "SameSite=$o{samesite}" if $o{samesite};
+ push @attr, 'Secure' if $o{secure};
+ push @attr, 'HttpOnly' if $o{httponly};
$self->{_TUWF}{Res}{cookies}{$name} = join '; ', @attr;
diff --git a/lib/TUWF/Response.pod b/lib/TUWF/Response.pod
index febe915..3ceb34f 100644
--- a/lib/TUWF/Response.pod
+++ b/lib/TUWF/Response.pod
@@ -69,6 +69,11 @@ A UNIX timestamp indicating when this cookie should expire. A value before the
current C<time()> means the cookie should be immediately removed, which is
equivalent to setting I<value> to undef.
+=item maxage
+Number of seconds until the cookie expires. May be used instead of or together
+with C<expires>. Older browsers do not support this option.
=item domain
The domain name for which this cookie should be used.
@@ -87,8 +92,17 @@ will only be present if the client is connected through HTTPS.
Set to true to only allow the cookie to be read using HTTP. That is, disallow
the cookie to be used within Javascript.
+=item samesite
+Set to C<'Strict'> or C<'Lax'> to prevent this cookie to be included in
+requests originating from other domains, as a measure against CSRF attacks. Set
+to C<'None'> to disable such protections.
+For more information about the meaning and interpretation of those options, see
+L<the MDN documentation|>.
It is possible to set defaults for these options with the
L<cookie_defaults|TUWF/cookie_defaults> setting.