Set safer defaults for private cookies.

2017-10-05 21:58:04 -07:00 · 2017-10-05 21:58:04 -07:00 · a90d625abe
parent 8de1e32130
commit a90d625abe
2 changed files with 23 additions and 10 deletions
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@ -31,12 +31,16 @@ smallvec = "0.4"
 pear = "0.0.11"
 pear_codegen = "0.0.11"
 rustls = { version = "0.11.0", optional = true }
-cookie = { version = "0.10.0", features = ["percent-encode", "secure"] }
 hyper = { version = "0.10.13", default-features = false }
 hyper-sync-rustls = { version = "0.3.0-rc.1", features = ["server"], optional = true }
 ordermap = "0.2"
 isatty = "0.1"

+[dependencies.cookie]
+git = "https://github.com/alexcrichton/cookie-rs"
+rev = "9706ac"
+features = ["percent-encode", "secure"]
+
 [dev-dependencies]
 lazy_static = "0.2"
 rocket_codegen = { version = "0.4.0-dev", path = "../codegen" }
--- a/lib/src/http/cookies.rs
+++ b/lib/src/http/cookies.rs
@ -209,10 +209,16 @@ impl<'a> Cookies<'a> {
    /// [`get_private`](#method.get_private) and removed using
    /// [`remove_private`](#method.remove_private).
    ///
-    /// If a path is not set on `cookie`, the `"/"` path will automatically be
-    /// set. If a `SameSite` attribute is not set, the attribute will be set to
-    /// `Strict`. These defaults ensure maximum usability and security. For
-    /// additional security, you may wish to set the `http_only` flag.
+    /// Unless a value is supplied for the given key, the following defaults are
+    /// set on `cookie` before being added to `self`:
+    ///
+    ///    * `path`: `"/"`
+    ///    * `SameSite`: `Strict`
+    ///    * `HttpOnly`: `true`
+    ///    * `Expires`: 1 week from now
+    ///
+    /// These defaults ensure maximum usability and security. For additional
+    /// security, you may wish to set the `secure` flag.
    ///
    /// # Example
    ///
@ -221,11 +227,6 @@ impl<'a> Cookies<'a> {
    ///
    /// fn handler(mut cookies: Cookies) {
    ///     cookies.add_private(Cookie::new("name", "value"));
-    ///
-    ///     // Set the `HttpOnly` flag.
-    ///     let mut cookie = Cookie::new("name", "value");
-    ///     cookie.set_http_only(true);
-    ///     cookies.add(cookie);
    /// }
    /// ```
    pub fn add_private(&mut self, mut cookie: Cookie<'static>) {
@ -234,6 +235,14 @@ impl<'a> Cookies<'a> {
                cookie.set_path("/");
            }

+            if cookie.http_only().is_none() {
+                cookie.set_http_only(true);
+            }
+
+            if cookie.expires().is_none() {
+                cookie.set_expires(::time::now() + ::time::Duration::weeks(1));
+            }
+
            if cookie.same_site().is_none() {
                cookie.set_same_site(SameSite::Strict);
            }