X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Plugin-Session-State-Cookie.git;a=blobdiff_plain;f=lib%2FCatalyst%2FPlugin%2FSession%2FState%2FCookie.pm;h=9f31965203180b8e8d3a77c17f1804a1319d9488;hp=aae53326c48ca9fc6adc650b11adc65dbdd230ac;hb=ab649d6b05c0b11e96f08f420d83d02db39766ce;hpb=66ae88d95332f6c87b1c4de8e212afc29f0d4319 diff --git a/lib/Catalyst/Plugin/Session/State/Cookie.pm b/lib/Catalyst/Plugin/Session/State/Cookie.pm index aae5332..9f31965 100644 --- a/lib/Catalyst/Plugin/Session/State/Cookie.pm +++ b/lib/Catalyst/Plugin/Session/State/Cookie.pm @@ -7,7 +7,7 @@ use warnings; use MRO::Compat; use Catalyst::Utils (); -our $VERSION = "0.11"; +our $VERSION = "0.12"; BEGIN { __PACKAGE__->mk_accessors(qw/_deleted_session_id/) } @@ -40,7 +40,7 @@ sub set_session_id { sub update_session_cookie { my ( $c, $updated ) = @_; - + unless ( $c->cookie_is_rejecting( $updated ) ) { my $cookie_name = $c->config->{session}{cookie_name}; $c->response->cookies->{$cookie_name} = $updated; @@ -49,11 +49,11 @@ sub update_session_cookie { sub cookie_is_rejecting { my ( $c, $cookie ) = @_; - + if ( $cookie->{path} ) { return 1 if index '/'.$c->request->path, $cookie->{path}; } - + return 0; } @@ -75,8 +75,8 @@ sub make_session_cookie { #beware: we have to accept also the old syntax "cookie_secure = true" my $sec = $cfg->{cookie_secure} || 0; # default = 0 (not set) $cookie->{secure} = 1 unless ( ($sec==0) || ($sec==2) ); - $cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure ); - + $cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure ); + my $hto = $cookie->{httponly} || 1; # default = 1 (set httponly) $cookie->{httponly} = 1 unless ($hto==0); @@ -119,7 +119,7 @@ sub get_session_cookie { sub get_session_id { my $c = shift; - if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) { + if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) { my $sid = $cookie->value; $c->log->debug(qq/Found sessionid "$sid" in cookie/) if $c->debug; return $sid if $sid; @@ -130,7 +130,7 @@ sub get_session_id { sub delete_session_id { my ( $c, $sid ) = @_; - + $c->_deleted_session_id(1); # to prevent get_session_id from returning it $c->update_session_cookie( $c->make_session_cookie( $sid, expires => 0 ) ); @@ -222,20 +222,20 @@ The name of the domain to store in the cookie (defaults to current host) =item cookie_expires -Number of seconds from now you want to elapse before cookie will expire. -Set to 0 to create a session cookie, ie one which will die when the +Number of seconds from now you want to elapse before cookie will expire. +Set to 0 to create a session cookie, ie one which will die when the user's browser is shut down. =item cookie_secure If this attribute B the cookie will not have the secure flag. -If this attribute B (or true for backward compatibility) - the cookie -send by the server to the client will got the secure flag that tells the browser +If this attribute B (or true for backward compatibility) - the cookie +send by the server to the client will got the secure flag that tells the browser to send this cookies back to the server only via HTTPS. If this attribute B then the cookie will got the secure flag only if -the request that caused cookie generation was sent over https (this option is +the request that caused cookie generation was sent over https (this option is not good if you are mixing https and http in you application). Default vaule is 0. @@ -244,16 +244,16 @@ Default vaule is 0. If this attribute B, the cookie will not have HTTPOnly flag. -If this attribute B, the cookie will got HTTPOnly flag that should +If this attribute B, the cookie will got HTTPOnly flag that should prevent client side Javascript accessing the cookie value - this makes some sort of session hijacking attacks significantly harder. Unfortunately not all -browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if +browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if a browser is not aware of HTTPOnly the flag will be ignored. Default value is 1. Note1: Many peole are confused by the name "HTTPOnly" - it B -that this cookie works only over HTTP and not over HTTPS. +that this cookie works only over HTTP and not over HTTPS. Note2: This paramater requires Catalyst::Runtime 5.80005 otherwise is skipped.