[vwnc] Seaside-Opentalk support for HttpOnly and Secure cookie attributes

I'm thinking of "augmenting" WAResponse>>asHttpResponse: with the
following,

(eachCookie canUnderstand: #secure) ifTrue: [cookieValue secure:
eachCookie secure].
(eachCookie canUnderstand: #httponly) ifTrue: [cookieValue httponly:
eachCookie httponly].

where 'eachCookie' is an instance of WASecureCookie, which is a cookie
that has its #httponly attribute set to true and #secure set to true or
false depending on application's #serverProtocol preference (true for
#https, false for #http). I am currently trying to convince core Seaside
folks to make #secure and #httponly part of base WACookie, but we're not
there yet.

This is all great, except SetCookieValue currenly has no notion of
HttpOnly. Can I request that it be considered for addition in 7.7 along
with the aforementioned changes to Seaside-Opentalk (or some flavor
anyway)?

MySession>>sessionCookie
        | plain secure |
        plain := super sessionCookie.
        secure := (WASecureCookie new)
                                key: plain key;
                                value: plain value;
                                path: plain path;
                                httponly: true;
                                secure: self application serverProtocol
= #https;
                                yourself.
        plain expiry ifNotNil: [:exp | secure expiry: exp].
        ^secure.

DeepCoveLabs.Web defineClass: #WASecureCookie
        superclass: #{Seaside.WACookie}
        indexedType: #none
        private: false
        instanceVariableNames: 'secure httponly '
        classInstanceVariableNames: ''
        imports: ''
        category: ''!

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'accessing'!

httponly
       
        ^httponly ifNil: [httponly := true].!

httponly: anObject
       
        httponly := anObject.!

secure
       
        ^secure ifNil: [secure := false].!

secure: anObject
       
        secure := anObject.! !

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'writing'!

writeOn: aStream
       
        super writeOn: aStream.
        self secure ifTrue: [aStream nextPutAll: '; secure'].
        self httponly ifTrue: [aStream nextPutAll: '; HttpOnly'].! !

Thanks!

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

[hidden email]

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.


_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

It appears that Seaside 2.9 will support the following cookie attibutes
out of the box,

- discard
- secure
- httponly

I would recommend that Seaside-Opentalk and Net be modified to support
them as well.

Thanks!

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

[hidden email]

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Boris Popov
Sent: Tuesday, March 17, 2009 5:12 PM
To: [hidden email]
Subject: [vwnc] Seaside-Opentalk support for HttpOnly and Secure
cookieattributes

I'm thinking of "augmenting" WAResponse>>asHttpResponse: with the
following,

(eachCookie canUnderstand: #secure) ifTrue: [cookieValue secure:
eachCookie secure].
(eachCookie canUnderstand: #httponly) ifTrue: [cookieValue httponly:
eachCookie httponly].

where 'eachCookie' is an instance of WASecureCookie, which is a cookie
that has its #httponly attribute set to true and #secure set to true or
false depending on application's #serverProtocol preference (true for
#https, false for #http). I am currently trying to convince core Seaside
folks to make #secure and #httponly part of base WACookie, but we're not
there yet.

This is all great, except SetCookieValue currenly has no notion of
HttpOnly. Can I request that it be considered for addition in 7.7 along
with the aforementioned changes to Seaside-Opentalk (or some flavor
anyway)?

MySession>>sessionCookie
        | plain secure |
        plain := super sessionCookie.
        secure := (WASecureCookie new)
                                key: plain key;
                                value: plain value;
                                path: plain path;
                                httponly: true;
                                secure: self application serverProtocol
= #https;
                                yourself.
        plain expiry ifNotNil: [:exp | secure expiry: exp].
        ^secure.

DeepCoveLabs.Web defineClass: #WASecureCookie
        superclass: #{Seaside.WACookie}
        indexedType: #none
        private: false
        instanceVariableNames: 'secure httponly '
        classInstanceVariableNames: ''
        imports: ''
        category: ''!

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'accessing'!

httponly
       
        ^httponly ifNil: [httponly := true].!

httponly: anObject
       
        httponly := anObject.!

secure
       
        ^secure ifNil: [secure := false].!

secure: anObject
       
        secure := anObject.! !

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'writing'!

writeOn: aStream
       
        super writeOn: aStream.
        self secure ifTrue: [aStream nextPutAll: '; secure'].
        self httponly ifTrue: [aStream nextPutAll: '; HttpOnly'].! !

Thanks!

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

[hidden email]

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.


_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

Agreed.

Boris Popov wrote:
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

Created AR#56640: "Add support for httponly, discard and secure cookie attributes"

Thanks,

Martin

"Michael Lucas-Smith"<[hidden email]> wrote:
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

In the meantime we've delegated adding these attributes to our load
balancer with the following iRule (in case anyone is interested),

when HTTP_RESPONSE {
 foreach cookie [HTTP::cookie names] {
  set value [HTTP::cookie value $cookie];
  if { "" != $value } {
   set testvalue [string tolower $value]
   set valuelen [string length $value]
   log local0. "Cookie found: $cookie = $value";
   switch -glob $testvalue {
    "*;secure*" -
    "*; secure*" { }
    default { set value "$value; Secure"; }
   }
   switch -glob $testvalue {
    "*;httponly*" -
    "*; httponly*" { }
    default { set value "$value; HttpOnly"; }
   }
   switch -glob $testvalue {
    "*;discard*" -
    "*; discard*" { }
    default { set value "$value; Discard"; }
   }
   if { [string length $value] > $valuelen} {
    log local0. "Replacing cookie $cookie with $value"
    HTTP::cookie value $cookie "${value}"
   }
  }
 }
}

This is an updated version of a rule found here,

http://tinyurl.com/57jqba

Hope this helps,

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

[hidden email]

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of [hidden email]
Sent: Wednesday, March 18, 2009 10:05 AM
To: Michael Lucas-Smith
Cc: [hidden email]
Subject: Re: [vwnc] Seaside-Opentalk support for HttpOnly and Secure
cookieattributes

Created AR#56640: "Add support for httponly, discard and secure cookie
attributes"

Thanks,

Martin

"Michael Lucas-Smith"<[hidden email]> wrote:
_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc