From 48391aac145cf9369f7a3fdd8e26f00fa2b7cbc0 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Sun, 8 Sep 2019 12:15:30 +0200
Subject: resCookie: Add support for Max-Age and SameSite properties

---
 lib/TUWF/Response.pm  | 14 ++++++++------
 lib/TUWF/Response.pod | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/lib/TUWF/Response.pm b/lib/TUWF/Response.pm
index 21e6fce..628eb4d 100644
--- a/lib/TUWF/Response.pm
+++ b/lib/TUWF/Response.pm
@@ -82,7 +82,7 @@ sub resHeader {
 # name, value, %options.
 # value = undef -> remove cookie,
 # options:
-#   expires, path, domain, secure, httponly
+#   expires, path, domain, secure, httponly, maxage, samesite
 sub resCookie {
   my $self = shift;
   my $name = shift;
@@ -93,11 +93,13 @@ sub resCookie {
   my @attr = (sprintf '%s=%s', $name, defined($value)?$value:'');
   $o{expires} = 0 if !defined $value;
 
-  push @attr, sprintf 'expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires};
-  push @attr, "path=$o{path}" if $o{path};
-  push @attr, "domain=$o{domain}" if $o{domain};
-  push @attr, 'secure'   if $o{secure};
-  push @attr, 'httponly' if $o{httponly};
+  push @attr, sprintf 'Expires=%s', strftime("%a, %d %b %Y %H:%M:%S GMT", gmtime $o{expires}) if defined $o{expires};
+  push @attr, "Max-Age=$o{maxage}" if defined $o{maxage};
+  push @attr, "Path=$o{path}" if $o{path};
+  push @attr, "Domain=$o{domain}" if $o{domain};
+  push @attr, "SameSite=$o{samesite}" if $o{samesite};
+  push @attr, 'Secure'   if $o{secure};
+  push @attr, 'HttpOnly' if $o{httponly};
   $self->{_TUWF}{Res}{cookies}{$name} = join '; ', @attr;
 }
 
diff --git a/lib/TUWF/Response.pod b/lib/TUWF/Response.pod
index febe915..3ceb34f 100644
--- a/lib/TUWF/Response.pod
+++ b/lib/TUWF/Response.pod
@@ -69,6 +69,11 @@ A UNIX timestamp indicating when this cookie should expire. A value before the
 current C<time()> means the cookie should be immediately removed, which is
 equivalent to setting I<value> to undef.
 
+=item maxage
+
+Number of seconds until the cookie expires. May be used instead of or together
+with C<expires>. Older browsers do not support this option.
+
 =item domain
 
 The domain name for which this cookie should be used.
@@ -87,8 +92,17 @@ will only be present if the client is connected through HTTPS.
 Set to true to only allow the cookie to be read using HTTP. That is, disallow
 the cookie to be used within Javascript.
 
+=item samesite
+
+Set to C<'Strict'> or C<'Lax'> to prevent this cookie to be included in
+requests originating from other domains, as a measure against CSRF attacks. Set
+to C<'None'> to disable such protections.
+
 =back
 
+For more information about the meaning and interpretation of those options, see
+L<the MDN documentation|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie>.
+
 It is possible to set defaults for these options with the
 L<cookie_defaults|TUWF/cookie_defaults> setting.
 
-- 
cgit v1.2.3