Integration

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

HttpOnly cookies impossible with mod_plsql?

Capt. EggJul 9 2010 — edited Jun 4 2013

I've noticed that OWA_COOKIE.SEND does not support the HttpOnly flag. So I attempted to achieve this manually by generating the "Set-Cookie" header. The problem is that something is sanitising my Set-Cookie header, no matter what I do.

htp.init;
htp.p('Set-Cookie: MY_COOKIE=TEST; HttpOnly');
owa_util.http_header_close;
htp.p('hi!');
htp.flush;

Results in...

Set-Cookie: MY_COOKIE=TEST

In the raw response header. This does not occur when I I execute the following PHP from the very same OHS...

<?php
header('Set-Cookie: MY_COOKIE=blah; HttpOnly');
?>

Then I get...

Set-Cookie: MY_COOKIE=blah; HttpOnly

This lead me to believe the problem is in the htp.p procedure or perhaps mod_plsql. I trawled through the source for SYS.HTP package and could see no such Set-Cookie sanitisation code. This is why I suspect mod_plsql is responsible.

Here's some version information...
A 404 page of the OHS reports... Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server

select owa_util.get_version from dual;

GET_VERSION
-----------
10.1.2.0.8

Apache version 2.0 (bundled with OHS, don't know how to confirm exact version)

Anyone know how to determine mod_plsql version??

I've tried that block of PL/SQL both from an APEX page process and directly from a stored procedure. Both result in the trailing"; HttpOnly" being stripped. I've noticed that any change to the case of the letters in Set-Cookie is overridden and any other parameters other than expires, domain, path and secure are stripped out. There doesn't seem to be any way for me to force a raw Set-Cookie header without this sanitisation occurring.

And here is the dads.conf entry...
<Location /pls/apex>
PlsqlErrorStyle DebugStyle
Order deny,allow
PlsqlDocumentPath docs
AllowOverride None
PlsqlDocumentProcedure wwv_flow_file_manager.process_download
PlsqlDatabaseConnectString captain.egg.com:1521:ssdev ServiceNameFormat
PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
PlsqlAuthenticationMode Basic
SetHandler pls_handler
PlsqlDocumentTablename wwv_flow_file_objects$
PlsqlDatabaseUsername APEX_PUBLIC_USER
PlsqlDefaultPage apex
PlsqlDatabasePassword NothingToSeeHere
Allow from all
</Location>

Edited by: Capt. Egg on Jul 8, 2010 11:38 PM
Added dads.conf

This post has been answered by brian.mcginity on Apr 8 2012

Jump to Answer

Locked Post

New comments cannot be posted to this locked post.

Locked on Jul 2 2013

Added on Jul 9 2010

#application-servers, #oracle-application-server-general

13 comments

4,891 views