Added config options to set the HttpOnly and SameSite directives on the session cookie.

Author: ot-whitingm

cppcms/capi/session.h

@@ -155,6 +155,12 @@ CPPCMS_API long long cppcms_capi_cookie_expires(cppcms_capi_cookie const *cookie
 
 CPPCMS_API int cppcms_capi_cookie_is_secure(cppcms_capi_cookie const *cookie);
 
+CPPCMS_API int cppcms_capi_cookie_is_httponly(cppcms_capi_cookie const *cookie);
+
+CPPCMS_API int cppcms_capi_cookie_samesite_none_defined(cppcms_capi_cookie const *cookie);
+CPPCMS_API int cppcms_capi_cookie_samesite_lax_defined(cppcms_capi_cookie const *cookie);
+CPPCMS_API int cppcms_capi_cookie_samesite_strict_defined(cppcms_capi_cookie const *cookie);
+
 ///
 /// @}
 ///

private/cached_settings.h

@@ -142,6 +142,10 @@ namespace impl {
 				bool use_age;
 				bool use_exp;
 				bool secure;
+				bool httponly;
+				bool use_samesite_none;
+				bool use_samesite_lax;
+				bool use_samesite_strict;
 				bool remove_unknown_cookies;
 			} cookies;
 			cached_session(json::value const &v)
@@ -173,6 +177,22 @@ namespace impl {
 					cookies.use_age = cookies.use_exp = true;
 				}
 				cookies.secure = v.get("session.cookies.secure",false);
+				cookies.httponly = v.get("session.cookies.httponly", false);
+
+				std::string samesite = v.get("session.cookies.samesite", "");
+				cookies.use_samesite_none = false;
+				cookies.use_samesite_lax = false;
+				cookies.use_samesite_strict = false;
+				if (samesite == "none") {
+					cookies.use_samesite_none = true;
+				} else if (samesite == "lax") {
+					cookies.use_samesite_lax = true;
+				} else if (samesite == "strict") {
+					cookies.use_samesite_strict = true;
+				} else if (!samesite.empty()) {
+					BOOSTER_WARNING("cppcms") << "Invalid session.cookies.samesite"
+					  "if set should be one of 'none', 'lax', or 'strict'; defaults to unset";
+				}
 			}
 		} session;
 		struct cached_misc {

src/capi/session.cpp

@@ -108,6 +108,10 @@ struct cppcms_capi_cookie {
 	std::string path;
 	std::string domain;
 	bool secure;
+	bool httponly;
+	bool has_samesite_none;
+	bool has_samesite_lax;
+	bool has_samesite_strict;
 	bool has_expires;
 	bool has_max_age;
 	time_t expires;
@@ -121,6 +125,10 @@ struct cppcms_capi_cookie {
 		path(c.path()),
 		domain(c.domain()),
 		secure(c.secure()),
+		httponly(c.httponly()),
+		has_samesite_none(c.samesite_none()),
+		has_samesite_lax(c.samesite_lax()),
+		has_samesite_strict(c.samesite_strict()),
 		has_expires(c.expires_defined()),
 		has_max_age(c.max_age_defined()),
 		expires(c.expires()),
@@ -764,4 +772,10 @@ long long cppcms_capi_cookie_expires(cppcms_capi_cookie const *cookie) { return
 
 int cppcms_capi_cookie_is_secure(cppcms_capi_cookie const *cookie) { return cookie ? cookie->secure: -1; }
 
+int cppcms_capi_cookie_is_httponly(cppcms_capi_cookie const *cookie) { return cookie ? cookie->httponly: -1; }
+
+int cppcms_capi_cookie_samesite_none_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_none: -1; }
+int cppcms_capi_cookie_samesite_lax_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_lax: -1; }
+int cppcms_capi_cookie_samesite_strict_defined(cppcms_capi_cookie const *cookie) { return cookie ? cookie->has_samesite_strict: -1; }
+
 } // extern "C"

src/session_interface.cpp

@@ -481,6 +481,10 @@ void session_interface::set_session_cookie(int64_t age,std::string const &data,s
 	bool use_exp = cached_settings().session.cookies.use_exp;
 
 	bool secure = cached_settings().session.cookies.secure;
+	bool httponly = cached_settings().session.cookies.httponly;
+	bool use_samesite_none = cached_settings().session.cookies.use_samesite_none;
+	bool use_samesite_lax = cached_settings().session.cookies.use_samesite_lax;
+	bool use_samesite_strict = cached_settings().session.cookies.use_samesite_strict;
 
 	http::cookie the_cookie(cookie_name,util::urlencode(data),path,domain);
 
@@ -501,8 +505,11 @@ void session_interface::set_session_cookie(int64_t age,std::string const &data,s
 		}
 	}
 
-
 	the_cookie.secure(secure);
+	the_cookie.httponly(httponly);
+	the_cookie.samesite_none(use_samesite_none);
+	the_cookie.samesite_lax(use_samesite_lax);
+	the_cookie.samesite_strict(use_samesite_strict);
 
 	if(d->adapter)
 		d->adapter->set_cookie(the_cookie);