1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* User Tracking Module (Was mod_cookies.c)
19 * *** IMPORTANT NOTE: This module is not designed to generate
20 * *** cryptographically secure cookies. This means you should not
21 * *** use cookies generated by this module for authentication purposes
23 * This Apache module is designed to track users paths through a site.
24 * It uses the client-side state ("Cookie") protocol developed by Netscape.
25 * It is known to work on most browsers.
27 * Each time a page is requested we look to see if the browser is sending
28 * us a Cookie: header that we previously generated.
30 * If we don't find one then the user hasn't been to this site since
31 * starting their browser or their browser doesn't support cookies. So
32 * we generate a unique Cookie for the transaction and send it back to
33 * the browser (via a "Set-Cookie" header)
34 * Future requests from the same browser should keep the same Cookie line.
36 * By matching up all the requests with the same cookie you can
37 * work out exactly what path a user took through your site. To log
38 * the cookie use the " %{Cookie}n " directive in a custom access log;
40 * Example 1 : If you currently use the standard Log file format (CLF)
41 * and use the command "TransferLog somefilename", add the line
42 * LogFormat "%h %l %u %t \"%r\" %s %b %{Cookie}n"
43 * to your config file.
45 * Example 2 : If you used to use the old "CookieLog" directive, you
46 * can emulate it by adding the following command to your config file
47 * CustomLog filename "%{Cookie}n \"%r\" %t"
49 * Mark Cox, mjc@apache.org, 6 July 95
51 * This file replaces mod_cookies.c
56 #include "apr_strings.h"
58 #define APR_WANT_STRFUNC
62 #include "http_config.h"
63 #include "http_core.h"
64 #include "http_request.h"
67 module AP_MODULE_DECLARE_DATA usertrack_module;
86 char *regexp_string; /* used to compile regexp; save for debugging */
87 regex_t *regexp; /* used to find usertrack cookie in cookie header */
90 /* Make Cookie: Now we have to generate something that is going to be
91 * pretty unique. We can base it on the pid, time, hostip */
93 #define COOKIE_NAME "Apache"
95 static void make_cookie(request_rec *r)
97 cookie_log_state *cls = ap_get_module_config(r->server->module_config,
99 /* 1024 == hardcoded constant */
100 char cookiebuf[1024];
102 const char *rname = ap_get_remote_host(r->connection, r->per_dir_config,
104 cookie_dir_rec *dcfg;
106 dcfg = ap_get_module_config(r->per_dir_config, &usertrack_module);
108 /* XXX: hmm, this should really tie in with mod_unique_id */
109 apr_snprintf(cookiebuf, sizeof(cookiebuf), "%s.%" APR_TIME_T_FMT, rname,
114 /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */
115 new_cookie = apr_psprintf(r->pool, "%s=%s; path=/",
116 dcfg->cookie_name, cookiebuf);
118 if ((dcfg->style == CT_UNSET) || (dcfg->style == CT_NETSCAPE)) {
120 apr_time_exp_gmt(&tms, r->request_time
121 + apr_time_from_sec(cls->expires));
122 new_cookie = apr_psprintf(r->pool,
124 "%.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
125 new_cookie, apr_day_snames[tms.tm_wday],
127 apr_month_snames[tms.tm_mon],
129 tms.tm_hour, tms.tm_min, tms.tm_sec);
132 new_cookie = apr_psprintf(r->pool, "%s; max-age=%d",
133 new_cookie, cls->expires);
137 new_cookie = apr_psprintf(r->pool, "%s=%s; path=/",
138 dcfg->cookie_name, cookiebuf);
140 if (dcfg->cookie_domain != NULL) {
141 new_cookie = apr_pstrcat(r->pool, new_cookie, "; domain=",
143 (dcfg->style == CT_COOKIE2
149 apr_table_addn(r->headers_out,
150 (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
152 apr_table_setn(r->notes, "cookie", apr_pstrdup(r->pool, cookiebuf)); /* log first time */
156 /* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)",
157 * which has three subexpressions, $0..$2 */
160 static void set_and_comp_regexp(cookie_dir_rec *dcfg,
162 const char *cookie_name)
164 int danger_chars = 0;
165 const char *sp = cookie_name;
167 /* The goal is to end up with this regexp,
168 * ^cookie_name=([^;]+)|;[\t]+cookie_name=([^;]+)
169 * with cookie_name obviously substituted either
170 * with the real cookie name set by the user in httpd.conf, or with the
171 * default COOKIE_NAME.
174 /* Anyway, we need to escape the cookie_name before pasting it
178 if (!apr_isalnum(*sp)) {
186 cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */
190 if (!apr_isalnum(*sp)) {
198 dcfg->regexp_string = apr_pstrcat(p, "^",
204 dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, REG_EXTENDED);
205 ap_assert(dcfg->regexp != NULL);
208 static int spot_cookie(request_rec *r)
210 cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config,
212 const char *cookie_header;
213 regmatch_t regm[NUM_SUBS];
215 /* Do not run in subrequests */
216 if (!dcfg->enabled || r->main) {
220 if ((cookie_header = apr_table_get(r->headers_in, "Cookie"))) {
221 if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) {
222 char *cookieval = NULL;
224 * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
225 * only allows for $1 or $2 to be available. ($0 is always
226 * filled with the entire matched expression, not just
227 * the part in parentheses.) So just check for either one
228 * and assign to cookieval if present. */
229 if (regm[1].rm_so != -1) {
230 cookieval = ap_pregsub(r->pool, "$1", cookie_header,
233 if (regm[2].rm_so != -1) {
234 cookieval = ap_pregsub(r->pool, "$2", cookie_header,
237 /* Set the cookie in a note, for logging */
238 apr_table_setn(r->notes, "cookie", cookieval);
240 return DECLINED; /* There's already a cookie, no new one */
244 return OK; /* We set our cookie */
247 static void *make_cookie_log_state(apr_pool_t *p, server_rec *s)
249 cookie_log_state *cls =
250 (cookie_log_state *) apr_palloc(p, sizeof(cookie_log_state));
257 static void *make_cookie_dir(apr_pool_t *p, char *d)
259 cookie_dir_rec *dcfg;
261 dcfg = (cookie_dir_rec *) apr_pcalloc(p, sizeof(cookie_dir_rec));
262 dcfg->cookie_name = COOKIE_NAME;
263 dcfg->cookie_domain = NULL;
264 dcfg->style = CT_UNSET;
267 /* In case the user does not use the CookieName directive,
268 * we need to compile the regexp for the default cookie name. */
269 set_and_comp_regexp(dcfg, p, COOKIE_NAME);
274 static const char *set_cookie_enable(cmd_parms *cmd, void *mconfig, int arg)
276 cookie_dir_rec *dcfg = mconfig;
282 static const char *set_cookie_exp(cmd_parms *parms, void *dummy,
285 cookie_log_state *cls;
286 time_t factor, modifier = 0;
290 cls = ap_get_module_config(parms->server->module_config,
292 /* The simple case first - all numbers (we assume) */
293 if (apr_isdigit(arg[0]) && apr_isdigit(arg[strlen(arg) - 1])) {
294 cls->expires = atol(arg);
299 * The harder case - stolen from mod_expires
301 * CookieExpires "[plus] {<num> <type>}*"
304 word = ap_getword_conf(parms->pool, &arg);
305 if (!strncasecmp(word, "plus", 1)) {
306 word = ap_getword_conf(parms->pool, &arg);
309 /* {<num> <type>}* */
312 if (apr_isdigit(word[0]))
315 return "bad expires code, numeric value expected.";
318 word = ap_getword_conf(parms->pool, &arg);
320 return "bad expires code, missing <type>";
323 if (!strncasecmp(word, "years", 1))
324 factor = 60 * 60 * 24 * 365;
325 else if (!strncasecmp(word, "months", 2))
326 factor = 60 * 60 * 24 * 30;
327 else if (!strncasecmp(word, "weeks", 1))
328 factor = 60 * 60 * 24 * 7;
329 else if (!strncasecmp(word, "days", 1))
330 factor = 60 * 60 * 24;
331 else if (!strncasecmp(word, "hours", 1))
333 else if (!strncasecmp(word, "minutes", 2))
335 else if (!strncasecmp(word, "seconds", 1))
338 return "bad expires code, unrecognized type";
340 modifier = modifier + factor * num;
343 word = ap_getword_conf(parms->pool, &arg);
346 cls->expires = modifier;
351 static const char *set_cookie_name(cmd_parms *cmd, void *mconfig,
354 cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig;
356 dcfg->cookie_name = apr_pstrdup(cmd->pool, name);
358 set_and_comp_regexp(dcfg, cmd->pool, name);
360 if (dcfg->regexp == NULL) {
361 return "Regular expression could not be compiled.";
363 if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) {
364 return apr_pstrcat(cmd->pool, "Invalid cookie name \"",
372 * Set the value for the 'Domain=' attribute.
374 static const char *set_cookie_domain(cmd_parms *cmd, void *mconfig,
377 cookie_dir_rec *dcfg;
379 dcfg = (cookie_dir_rec *) mconfig;
382 * Apply the restrictions on cookie domain attributes.
384 if (strlen(name) == 0) {
385 return "CookieDomain values may not be null";
387 if (name[0] != '.') {
388 return "CookieDomain values must begin with a dot";
390 if (ap_strchr_c(&name[1], '.') == NULL) {
391 return "CookieDomain values must contain at least one embedded dot";
394 dcfg->cookie_domain = apr_pstrdup(cmd->pool, name);
399 * Make a note of the cookie style we should use.
401 static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
404 cookie_dir_rec *dcfg;
406 dcfg = (cookie_dir_rec *) mconfig;
408 if (strcasecmp(name, "Netscape") == 0) {
409 dcfg->style = CT_NETSCAPE;
411 else if ((strcasecmp(name, "Cookie") == 0)
412 || (strcasecmp(name, "RFC2109") == 0)) {
413 dcfg->style = CT_COOKIE;
415 else if ((strcasecmp(name, "Cookie2") == 0)
416 || (strcasecmp(name, "RFC2965") == 0)) {
417 dcfg->style = CT_COOKIE2;
420 return apr_psprintf(cmd->pool, "Invalid %s keyword: '%s'",
421 cmd->cmd->name, name);
427 static const command_rec cookie_log_cmds[] = {
428 AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
429 "an expiry date code"),
430 AP_INIT_TAKE1("CookieDomain", set_cookie_domain, NULL, OR_FILEINFO,
431 "domain to which this cookie applies"),
432 AP_INIT_TAKE1("CookieStyle", set_cookie_style, NULL, OR_FILEINFO,
433 "'Netscape', 'Cookie' (RFC2109), or 'Cookie2' (RFC2965)"),
434 AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
435 "whether or not to enable cookies"),
436 AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
437 "name of the tracking cookie"),
441 static void register_hooks(apr_pool_t *p)
443 ap_hook_fixups(spot_cookie,NULL,NULL,APR_HOOK_MIDDLE);
446 module AP_MODULE_DECLARE_DATA usertrack_module = {
447 STANDARD20_MODULE_STUFF,
448 make_cookie_dir, /* dir config creater */
449 NULL, /* dir merger --- default is to override */
450 make_cookie_log_state, /* server config */
451 NULL, /* merge server configs */
452 cookie_log_cmds, /* command apr_table_t */
453 register_hooks /* register hooks */