NAME
Cookie::Jar - Cookie Jar Class for Server & Client
SYNOPSIS
use Cookie::Jar;
my $jar = Cookie::Jar->new( request => $r ) ||
die( "An error occurred while trying to get the cookie jar:", Cookie::Jar->error );
# set the default host
$jar->host( 'www.example.com' );
$jar->fetch;
# or using a HTTP::Request object
# Retrieve cookies from Cookie header sent from client
$jar->fetch( request => $http_request );
if( $jar->exists( 'my-cookie' ) )
{
# do something
}
# get the cookie
my $sid = $jar->get( 'my-cookie' );
# get all cookies
my @all = $jar->get( 'my-cookie', 'example.com', '/' );
# set a new Set-Cookie header
$jar->set( 'my-cookie' => $cookie_object );
# Remove cookie from jar
$jar->delete( 'my-cookie' );
# or using the object itself:
$jar->delete( $cookie_object );
# Create and add cookie to jar
$jar->add(
name => 'session',
value => 'lang=en-GB',
path => '/',
secure => 1,
same_site => 'Lax',
) || die( $jar->error );
# or add an existing cookie
$jar->add( $some_cookie_object );
my $c = $jar->make({
name => 'my-cookie',
domain => 'example.com',
value => 'sid1234567',
path => '/',
expires => '+10D',
# or alternatively
maxage => 864000
# to make it exclusively accessible by regular http request and not ajax
http_only => 1,
# should it be used under ssl only?
secure => 1,
});
# Add the Set-Cookie headers
$jar->add_response_header;
# Alternatively, using a HTTP::Response object or equivalent
$jar->add_response_header( $http_response );
$jar->delete( 'some_cookie' );
$jar->do(sub
{
# cookie object is available as $_ or as first argument in @_
});
# For client side
# Takes a HTTP::Response object or equivalent
# Extract cookies from Set-Cookie headers received from server
$jar->extract( $http_response );
# get by domain; by default sort it
my $all = $jar->get_by_domain( 'example.com' );
# Reverse sort
$all = $jar->get_by_domain( 'example.com', sort => 0 );
# Save cookies repository as json
$jar->save( '/some/where/mycookies.json' ) || die( $jar->error );
# Load cookies into jar
$jar->load( '/some/where/mycookies.json' ) || die( $jar->error );
# Save encrypted
$jar->save( '/some/where/mycookies.json',
{
encrypt => 1,
key => $key,
iv => $iv,
algo => 'AES',
}) || die( $jar->error );
# Load cookies from encrypted file
$jar->load( '/some/where/mycookies.json',
{
decrypt => 1,
key => $key,
iv => $iv,
algo => 'AES'
}) || die( $jar->error );
# Merge repository
$jar->merge( $jar2 ) || die( $jar->error );
# For autosave
my $jar = Cookie::Jar->new(
file => '/some/where/cookies.json',
# True by default
autosave => 1,
encrypt => 1,
secret => 'My big secret',
algo => 'AES',
) || die( Cookie::Jar->error );
say "There are ", $jar->length, " cookies in the repository.";
# Take a string from a Set-Cookie header and get a Cookie object
my $c = $jar->extract_one( $cookie_string );
VERSION
v0.3.0
DESCRIPTION
This is a module to handle cookies, according to the latest standard as
set by rfc6265 <https://datatracker.ietf.org/doc/html/rfc6265>, both by
the http server and the client. Most modules out there are either
antiquated, i.e. they do not support latest cookie rfc6265
<https://datatracker.ietf.org/doc/html/rfc6265>, or they focus only on
http client side.
For example, Apache2::Cookie does not work well in decoding cookies, and
Cookie::Baker "Set-Cookie" timestamp format is wrong. They use
Mon-09-Jan 2020 12:17:30 GMT where it should be, as per rfc 6265 Mon, 09
Jan 2020 12:17:30 GMT
Also APR::Request::Cookie and Apache2::Cookie which is a wrapper around
APR::Request::Cookie return a cookie object that returns the value of
the cookie upon stringification instead of the full "Set-Cookie"
parameters. Clearly they designed it with a bias leaned toward
collecting cookies from the browser.
This module supports modperl and uses a Apache2::RequestRec if provided,
or can use package objects that implement similar interface as
HTTP::Request and HTTP::Response, or if none of those above are
available or provided, this module returns its results as a string.
This module is also compatible with LWP::UserAgent, so you can use like
this:
use LWP::UserAgent;
use Cookie::Jar;
my $ua = LWP::UserAgent->new(
cookie_jar => Cookie::Jar->new
);
It is also compatible with HTTP::Promise, such as:
use HTTP::Promise;
my $ua = HTTP::Promise->new( cookie_jar => Cookie::Jar->new );
This module does not die upon error, but instead returns "undef" and
sets an error, so you should always check the return value of a method.
METHODS
new
This initiates the package and takes the following parameters:
"request"
This is an optional parameter to provide a Apache2::RequestRec
object. When provided, it will be used in various methods to get or
set cookies from or onto http headers.
package MyApacheHandler;
use Apache2::Request ();
use Cookie::Jar;
sub handler : method
{
my( $class, $r ) = @_;
my $jar = Cookie::Jar->new( $r );
# Load cookies;
$jar->fetch;
$r->log_error( "$class: Found ", $jar->repo->length, " cookies." );
$jar->add(
name => 'session',
value => 'lang=en-GB',
path => '/',
secure => 1,
same_site => 'Lax',
);
# Will use Apache2::RequestRec object to set the Set-Cookie headers
$jar->add_response_header || do
{
$r->log_reason( "Unable to add Set-Cookie to response header: ", $jar->error );
return( Apache2::Const::HTTP_INTERNAL_SERVER_ERROR );
};
# Do some more computing
return( Apache2::Const::OK );
}
"debug"
Optional. If set with a positive integer, this will activate verbose
debugging message
add
Provided with an hash or hash reference of cookie parameters (see
Cookie) and this will create a new cookie and add it to the cookie
repository.
Alternatively, you can also provide directly an existing cookie object
my $c = $jar->add( $cookie_object ) || die( $jar->error );
add_cookie_header
This is an alias for "add_request_header" for backward compatibility
with HTTP::Cookies
add_request_header
Provided with a request object, such as, but not limited to
HTTP::Request and this will add all relevant cookies in the repository
into the "Cookie" http request header. The object method needs to have
the "header" method in order to get, or set the "Cookie" or "Set-Cookie"
headers and the "uri" method.
As long as the object provided supports the "uri" and "header" method,
you can provide any class of object you want.
Please refer to the rfc6265
<https://datatracker.ietf.org/doc/html/rfc6265> for more information on
the applicable rule when adding cookies to the outgoing request header.
Basically, it will add, for a given domain, first all cookies whose path
is longest and at path equivalent, the cookie creation date is used,
with the earliest first. Cookies who have expired are not sent, and
there can be cookies bearing the same name for the same domain in
different paths.
add_response_header
# Adding cookie to the repository
$jar->add(
name => 'session',
value => 'lang=en-GB',
path => '/',
secure => 1,
same_site => 'Lax',
) || die( $jar->error );
# then placing it onto the response header
$jar->add_response_header;
This is the alter ego to "add_request_header", in that it performs the
equivalent function, but for the server side.
You can optionally provide, as unique argument, an object, such as but
not limited to, HTTP::Response, as long as that class supports the
"header" method
Alternatively, if an Apache object has been set upon object
instantiation or later using the "request" method, then it will be used
to set the outgoing "Set-Cookie" headers (there is one for every cookie
sent).
If no response, nor Apache2 object were set, then this will simply
return a list of "Set-Cookie" in list context, or a string of possibly
multiline "Set-Cookie" headers, or an empty string if there is no cookie
found to be sent.
Be careful not to do the following:
# get cookies sent by the http client
$jar->fetch || die( $jar->error );
# set the response headers with the cookies from our repository
$jar->add_response_header;
Why? Well, because "fetch" retrieves the cookies sent by the http client
and store them into the repository. However, cookies sent by the http
client only contain the cookie name and value, such as:
GET /my/path/ HTTP/1.1
Host: www.example.org
Cookie: session_token=eyJleHAiOjE2MzYwNzEwMzksImFsZyI6IkhTMjU2In0.eyJqdGkiOiJkMDg2Zjk0OS1mYWJmLTRiMzgtOTE1ZC1hMDJkNzM0Y2ZmNzAiLCJmaXJzdF9uYW1lIjoiSm9obiIsImlhdCI6MTYzNTk4NDYzOSwiYXpwIjoiNGQ0YWFiYWQtYmJiMy00ODgwLThlM2ItNTA0OWMwZTczNjBlIiwiaXNzIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20iLCJlbWFpbCI6ImpvaG4uZG9lQGV4YW1wbGUuY29tIiwibGFzdF9uYW1lIjoiRG9lIiwic3ViIjoiYXV0aHxlNzg5OTgyMi0wYzlkLTQyODctYjc4Ni02NTE3MjkyYTVlODIiLCJjbGllbnRfaWQiOiJiZTI3N2VkYi01MDgzLTRjMWEtYTM4MC03Y2ZhMTc5YzA2ZWQiLCJleHAiOjE2MzYwNzEwMzksImF1ZCI6IjRkNGFhYmFkLWJiYjMtNDg4MC04ZTNiLTUwNDljMGU3MzYwZSJ9.VSiSkGIh41xXIVKn9B6qGjfzcLlnJAZ9jGOPVgXASp0; csrf_token=9849724969dbcffd48c074b894c8fbda14610dc0ae62fac0f78b2aa091216e0b.1635825594; site_prefs=lang%3Den-GB
As you can see, 3 cookies were sent: "session_token", "csrf_token" and
"site_prefs"
So, when "fetch" creates an object for each one and store them, those
cookies have no "path" value and no other attribute, and when
"add_response_header" is then called, it stringifies the cookies and
create a "Set-Cookie" header for each one, but only with their value and
no other attribute.
The http client, when receiving those cookies will derive the missing
cookie path to be "/my/path", i.e. the current uri path, and will create
a duplicate cookie from the previously stored cookie with the same name
for that host, but that had the path set to "/"
So you can create a repository and use it to store the cookies sent by
the http client using "fetch", but in preparation of the server
response, either use a separate repository with, for example, "my
$jar_out = Cookie::Jar->new" or use "set" which will not add the cookie
to the repository, but rather only set the "Set-Cookie" header for that
cookie.
# Add Set-Cookie header for that cookie, but do not add cookie to repository
$jar->set( $cookie_object );
algo
String. Sets or gets the algorithm to use when loading or saving the
cookie jar.
autosave
Boolean. Sets or gets the boolean value for automatically saving the
cookie jar to the given file specified with "file"
delete
Given a cookie name, an optional host and optional path or a Cookie
object, and this will remove it from the cookie repository.
It returns an array object upon success, or "undef" in perlfunc and sets
an error. Note that the array object may be empty.
However, this will NOT remove it from the web browser by sending a
Set-Cookie header. For that, you might want to look at the "elapse" in
Cookie method.
It returns an array object of cookie objects removed.
my $arr = $jar->delete( 'my-cookie' );
# alternatively
my $arr = $jar->delete( 'my-cookie' => 'www.example.org' );
# or
my $arr = $jar->delete( $my_cookie_object );
printf( "%d cookie(s) removed.\n", $arr->length );
print( "Cookie value removed was: ", $arr->first->value, "\n" );
If you are interested in telling the http client to remove all your
cookies, you can set the "Clear-Site-Data" header:
Clear-Site-Data: "cookies"
You can instruct the http client to remove other data like local
storage:
Clear-Site-Data: "cookies", "cache", "storage", "executionContexts"
Although this is widely supported, there is no guarantee the http client
will actually comply with this request.
See Mozilla documentation
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Da
ta> for more information.
do
Provided with an anonymous code or reference to a subroutine, and this
will call that code for every cookie in the repository, passing it the
cookie object as the sole argument. Also, that cookie object is
accessible using $_.
If the code return "undef", it will end the loop, and if the code
returns true, this will have the current cookie object added to an array
object returned upon completion of the loop.
my $found = $jar->do(sub
{
# Part of the path
if( index( $path, $_->path ) == 0 )
{
return(1);
}
return(0);
});
print( "Found cookies: ", $found->map(sub{$_->name})->join( ',' ), "\n" );
encrypt
Boolean. Sets or gets the boolean value for whether to encrypt or not
the cookie jar when saving it, or whether to decrypt it when loading
cookies from it.
This defaults to false.
exists
Given a cookie name, this will check if it exists.
It returns 1 if it does, or 0 if it does not.
extract
Provided with a response object, such as, but not limited to
HTTP::Response, and this will retrieve any cookie sent from the remote
server, parse them and add their respective to the repository.
As per the rfc6265, section 5.3.11 specifications
<https://datatracker.ietf.org/doc/html/rfc6265#section-5.3> if there are
duplicate cookies for the same domain and path, only the last one will
be retained.
If the cookie received does not contain any "Domain" specification,
then, in line with rfc6265 specifications, it will take the root of the
current domain as the default domain value. Since finding out what is
the root for a domain name is a non-trivial exercise, this method relies
on Cookie::Domain.
extract_cookies
This is an alias for "extract" for backward compatibility with
HTTP::Cookies
extract_one
This method takes a cookie string, which can be found in the
"Set-Cookie" header, parse it, and returns a Cookie object if
successful, or sets an error and return "undef" or an empty list
depending on the context.
It also takes an hash or hash reference of options.
The following options are supported:
* "host"
If provided, it will be used to find out the host's root domain, and
to set the cookie object "domain" property if none is specified in
the cookie string.
* "path"
If provided, it will be used to set the cookie object "path"
property.
* "port"
If provided, it will be used to set the cookie object "port"
property.
fetch
This method does the equivalent of "extract", but for the server.
It retrieves all possible cookies from the http request received from
the web browser.
It takes an optional hash or hash reference of parameters, such as
"host". If it is not provided, the value set with "host" is used
instead.
If the parameter "request" containing an http request object, such as,
but not limited to HTTP::Request, is provided, it will use it to get the
"Cookie" header value. The object method needs to have the "header"
method in order to get, or set the "Cookie" or "Set-Cookie" headers.
Alternatively, if a value for "request" has been set, it will use it to
get the "Cookie" header value from Apache modperl.
You can also provide the "Cookie" string to parse by providing the
"string" option to this method.
$jar->fetch( string => q{foo=bar; site_prefs=lang%3Den-GB} ) ||
die( $jar->error );
Ultimately, if none of those are available, it will use the environment
variable "HTTP_COOKIE"
If the option "store" is true (by default it is true), this method will
add the fetched cookies to the repository.
It returns an hash reference of cookie key => cookie object
A cookie key is made of the host (possibly empty), the path and the
cookie name separated by ";"
# Cookies added to the repository
$jar->fetch || die( $jar->error );
# Cookies returned, but NOT added to the repository
my $cookies = $jar->fetch || die( $jar->error );
file
Sets or gets the file path to the cookie jar file.
If provided upon instantiation, and if the file exists on the filesystem
and is not empty, "Cookie::Jar" will load all the cookies from it.
If "autosave" is set to a true, "Cookie::Jar" will automatically save
all cookies to the specified cookie jar file, possibly encrypting it if
"algo" and "secret" are set.
get
Given a cookie name, an optional host and an optional path, this will
retrieve its corresponding cookie object and return it.
If not found, it will try to return a value with just the cookie name.
If nothing is found, this will return and empty list in list context or
"undef" in scalar context.
You can "get" multiple cookie object and this method will return a list
in list context and the first cookie object found in scalar context.
# Wrong, an undefined returned value here only means there is no such cookie
my $c = $jar->get( 'my-cookie' );
die( $jar->error ) if( !defined( $c ) );
# Correct
my $c = $jar->get( 'my-cookie' ) || die( "No cookie my-cookie found\n" );
# Possibly get multiple cookie object for the same name
my @cookies = $jar->get( 'my_same_name' ) || die( "No cookies my_same_name found\n" );
# or
my @cookies = $jar->get( 'my_same_name' => 'www.example.org', '/private' ) || die( "No cookies my_same_name found\n" );
get_by_domain
Provided with a host and an optional hash or hash reference of
parameters, and this returns an array object of cookie objects matching
the domain specified.
If a "sort" parameter has been provided and its value is true, this will
sort the cookies by path alphabetically. If the sort value exists, but
is false, this will sort the cookies by path but in a reverse
alphabetical order.
By default, the cookies are sorted.
host
Sets or gets the default host. This is especially useful for cookies
repository used on the server side.
key
Provided with a cookie name and an optional host and this returns a key
used to add an entry in the hash repository.
If no host is provided, the key is just the cookie, otherwise the
resulting key is the cookie name and host separated just by ";"
You should not need to use this method as it is used internally only.
load
$jar->load( '/home/joe/cookies.json' ) || die( $jar->error );
# or loading cookies from encrypted file
$jar->load( '/home/joe/cookies_encrypted.json',
{
decrypt => 1,
key => $key,
iv => $iv,
algo => 'AES'
}) || die( $jar->error );
Give a json cookie file, and an hash or hash reference of options, and
this will load its data into the repository. If there are duplicates
(same cookie name and host), the latest one added takes precedence, as
per the rfc6265 specifications.
Supported options are:
*algo* string
Algorithm to use to decrypt the cookie file.
It can be any of AES, Anubis, Blowfish, CAST5, Camellia, DES,
DES_EDE, KASUMI, Khazad, MULTI2, Noekeon, RC2, RC5, RC6, SAFERP,
SAFER_K128, SAFER_K64, SAFER_SK128, SAFER_SK64, SEED, Skipjack,
Twofish, XTEA, IDEA, Serpent or simply any <NAME> for which there
exists Crypt::Cipher::<NAME>
*decrypt* boolean
Must be set to true to enable decryption.
*iv* string
Set the Initialisation Vector
<https://en.wikipedia.org/wiki/Initialization_vector> used for file
encryption and decryption. This must be the same value used for
encryption. See "save"
*key* string
Set the encryption key used to decrypt the cookies file.
The key must be the same one used to encrypt the file. See "save"
"load" returns the current object upon success and "undef" and sets an
error upon error.
load_as_lwp
$jar->load_as_lwp( '/home/joe/cookies_lwp.txt' ) ||
die( "Unable to load cookies from file: ", $jar->error );
# or loading an encrypted file
$jar->load_as_lwp( '/home/joe/cookies_encrypted_lwp.txt',
{
encrypt => 1,
key => $key,
iv => $iv,
algo => 'AES',
}) || die( $jar->error );
Given a file path to an LWP-style cookie file (see below a snapshot of
what it looks like), and an hash or hash reference of options, and this
method will read the cookies from the file and add them to our
repository, possibly overwriting previous cookies with the same name and
domain name.
The supported options are the same as for "load"
LWP-style cookie files are ancient, and barely used anymore, but no
matter; if you need to load cookies from such file, it looks like this:
#LWP-Cookies-1.0
Set-Cookie3: cookie1=value1; domain=example.com; path=; path_spec; secure; version=2
Set-Cookie3: cookie2=value2; domain=api.example.com; path=; path_spec; secure; version=2
Set-Cookie3: cookie3=value3; domain=img.example.com; path=; path_spec; secure; version=2
It returns the current object upon success, or "undef" and sets an error
upon error.
load_as_mozilla
$jar->load_as_mozilla( '/home/joe/cookies.sqlite' ) ||
die( "Unable to load cookies from mozilla cookies.sqlite file: ", $jar->error );
Given a file path to a mozilla SQLite database file, and an hash or hash
reference of options, and this method will attempt to read the cookies
from the SQLite database file and add them to our repository, possibly
overwriting previous cookies with the same name and domain name.
To read the SQLite database file, this will try first to load DBI and
DBD::SQLite and use them if they are available, otherwise it will resort
to using the "sqlite3" binary if it can find it, using "which" in
File::Which
If none of those 2 methods succeeded, it will return "undef" with an
error
Note that contrary to other loading method, this method does not support
encryption.
It returns the current object upon success, or "undef" and sets an error
upon error.
Supported options are:
* "use_dbi"
Boolean. If true, this will require the use of DBI and DBD::SQLite
and if it cannot load them, it will return an error without trying
to alternatively use the "sqlite3" binary. Default to false.
* "sqlite"
String. The file path to a "sqlite3" binary. If the file path does
not exist, or is lacking sufficient permission, this will return an
error.
If it is not provided, and using DBI and DBD::SQLite failed, it will
try to find the "sqlite3" using "which" in File::Which
load_as_netscape
$jar->save_as_netscape( '/home/joe/cookies_netscape.txt' ) ||
die( "Unable to save cookies file: ", $jar->error );
# or saving as an encrypted file
$jar->save_as_netscape( '/home/joe/cookies_encrypted_netscape.txt',
{
encrypt => 1,
key => $key,
iv => $iv,
algo => 'AES',
}) || die( $jar->error );
Given a file path to a Netscape-style cookie file, and this method will
read cookies from the file and add them to our repository, possibly
overwriting previous cookies with the same name and domain name.
It returns the current object upon success, or "undef" and sets an error
upon error.
make
Provided with some parameters and this will instantiate a new Cookie
object with those parameters and return the new object.
This does not add the newly created cookie object to the cookies
repository.
For a list of supported parameters, refer to the Cookie documentation
# Make an encrypted cookie
use Bytes::Random::Secure ();
my $c = $jar->make(
name => 'session',
value => $secret_value,
path => '/',
secure => 1,
http_only => 1,
same_site => 'Lax',
key => Bytes::Random::Secure::random_bytes(32),
algo => $algo,
encrypt => 1,
) || die( $jar->error );
# or as an hash reference of parameters
my $c = $jar->make({
name => 'session',
value => $secret_value,
path => '/',
secure => 1,
http_only => 1,
same_site => 'Lax',
key => Bytes::Random::Secure::random_bytes(32),
algo => $algo,
encrypt => 1,
}) || die( $jar->error );
merge
Provided with another Cookie::Jar object, or at least an object that
supports the "do" method, which takes an anonymous code as argument, and
that calls that code passing it each cookie object found in the
alternate repository, and this method will add all those cookies in the
alternate repository into the current repository.
$jar->merge( $other_jar ) || die( $jar->error );
If the cookie objects passed to the anonymous code in this method, are
not Cookie object, then at least they must support the methods "name",
"value", "domain", "path", "port", "secure", "max_age", "secure",
"same_site" and , "http_only"
This method also takes an hash or hash reference of options:
*die* boolean
If true, the anonymous code passed to the "do" method called, will
die upon error. Default to false.
By default, if an error occurs, "undef" is returned and the error is
set.
*overwrite* boolean
If true, when an existing cookie is found it will be overwritten by
the new one. Default to false.
use Nice::Try;
try
{
$jar->merge( $other_jar, die => 1, overwrite => 1 );
}
catch( $e )
{
die( "Failed to merge cookies repository: $e\n" );
}
Upon success this will return the current object, and if there was an
error, this returns "undef" in perlfunc and sets an error
parse
This method is used by "fetch" to parse cookies sent by http client.
Parsing is much simpler than for http client receiving cookies from
server.
It takes the raw "Cookie" string sent by the http client, and returns an
hash reference (possibly empty) of cookie name to cookie value pairs.
my $cookies = $jar->parse( 'foo=bar; site_prefs=lang%3Den-GB' );
# You can safely do as well:
my $cookies = $jar->parse( '' );
purge
Thise takes no argument and will remove from the repository all cookies
that have expired. A cookie that has expired is a Cookie that has its
"expires" property set and whose value is in the past.
This returns an array object of all the cookies thus removed.
my $all = $jar->purge;
printf( "Cookie(s) removed were: %s\n", $all->map(sub{ $_->name })->join( ',' ) );
# or
printf( "%d cookie(s) removed from our repository.\n", $jar->purge->length );
replace
Provided with a Cookie object, and an optional other Cookie object, and
this method will replace the former cookie provided in the second
parameter with the new one provided in the first parameter.
If only one parameter is provided, the cookies to be replaced will be
derived from the replacement cookie's properties, namely: "name",
"domain" and "path"
It returns an array object of cookie objects replaced upon success, or
"undef" and set an error upon error.
repo
Set or get the array object used as the cookie jar repository.
printf( "%d cookies found\n", $jar->repo->length );
request
Set or get the Apache2::RequestRec object. This object is used to set
the "Set-Cookie" header within modperl.
save
$jar->save( '/home/joe/cookies.json' ) ||
die( "Failed to save cookies: ", $jar->error );
# or saving the cookies file encrypted
$jar->save( '/home/joe/cookies_encrypted.json',
{
encrypt => 1,
key => $key,
iv => $iv,
algo => 'AES',
}) || die( $jar->error );
Provided with a file, and an hash or hash reference of options, and this
will save the repository of cookies as json data.
The hash saved to file contains 2 top properties: "updated_on"
containing the last update date and "cookies" containing an hash of
cookie name to cookie properties pairs.
It returns the current object. If an error occurred, it will return
"undef" and set an error
Supported options are:
*algo* string
Algorithm to use to encrypt the cookie file.
It can be any of AES, Anubis, Blowfish, CAST5, Camellia, DES,
DES_EDE, KASUMI, Khazad, MULTI2, Noekeon, RC2, RC5, RC6, SAFERP,
SAFER_K128, SAFER_K64, SAFER_SK128, SAFER_SK64, SEED, Skipjack,
Twofish, XTEA, IDEA, Serpent or simply any <NAME> for which there
exists Crypt::Cipher::<NAME>
*encrypt* boolean
Must be set to true to enable encryption.
*iv* string
Set the Initialisation Vector
<https://en.wikipedia.org/wiki/Initialization_vector> used for file
encryption. If you do not provide one, it will be automatically
generated. If you want to provide your own, make sure the size meets
the encryption algorithm size requirement. You also need to keep
this to decrypt the cookies file.
To find the right size for the Initialisation Vector, for example
for algorithm "AES", you could do:
perl -MCrypt::Cipher::AES -lE 'say Crypt::Cipher::AES->blocksize'
which would yield 16
*key* string
Set the encryption key used to encrypt the cookies file.
The key must be the same one used to decrypt the file and must have
a size big enough to satisfy the encryption algorithm requirement,
which you can check with, say for "AES":
perl -MCrypt::Cipher::AES -lE 'say Crypt::Cipher::AES->keysize'
In this case, it will yield 32. Replace above "AES", by whatever
algorithm you have chosen.
perl -MCrypt::Cipher::Blowfish -lE 'say Crypt::Cipher::Blowfish->keysize'
would yield 56 for "Blowfish"
You can use "random_bytes" in Bytes::Random::Secure to generate a
random key:
# will generate a 32 bytes-long key
my $key = Bytes::Random::Secure::random_bytes(32);
When encrypting the cookies file, this method will encode the encrypted
data in base64 before saving it to file.
save_as_lwp
$jar->save_as_lwp( '/home/joe/cookies_lwp.txt' ) ||
die( "Unable to save cookies file: ", $jar->error );
# or saving as an encrypted file
$jar->save_as_lwp( '/home/joe/cookies_encrypted_lwp.txt',
{
encrypt => 1,
key => $key,
iv => $iv,
algo => 'AES',
}) || die( $jar->error );
Provided with a file, and an hash or hash reference of options, and this
save the cookies repository as a LWP-style data.
The supported options are the same as for "save"
It returns the current object. If an error occurred, it will return
"undef" and set an error
save_as_mozilla
$jar->save_as_mozilla( '/home/joe/cookies.sqlite' ) ||
die( "Unable to save cookies as mozilla SQLite database: ", $jar->error );
# or
$jar->save_as_mozilla( '/home/joe/cookies.sqlite',
{
# force use of DBI/DBD::SQLite
use_dbi => 1,
# or specify the path of the sqlite3 binary
# sqlite => '/some/where/sqlite3',
# Enable logging of SQL queries maybe?
# log_sql => '/some/where/sql.log',
# Overwrite previous data
overwrite => 1,
# abort if an error occurred
rollback => 1,
}) || die( "Unable to save cookies as mozilla SQLite database: ", $jar->error );
Provided with a file path to a SQLite database and this saves the
cookies repository as a mozilla SQLite database.
The structure of the mozilla SQLite database
<http://kb.mozillazine.org/Cookies> is:
CREATE TABLE moz_cookies(
id INTEGER PRIMARY KEY,
originAttributes TEXT NOT NULL DEFAULT '',
name TEXT,
value TEXT,
host TEXT,
path TEXT,
expiry INTEGER,
lastAccessed INTEGER,
creationTime INTEGER,
isSecure INTEGER,
isHttpOnly INTEGER,
inBrowserElement INTEGER DEFAULT 0,
sameSite INTEGER DEFAULT 0,
rawSameSite INTEGER DEFAULT 0,
schemeMap INTEGER DEFAULT 0,
CONSTRAINT moz_uniqueid UNIQUE(name, host, path, originAttributes)
);
This method will attempt loading DBI and DBD::SQLite, and if it fails,
it will alternatively try to use the "sqlite3" binary.
Note that, contrary to other save methods, this method does not allow
encrypting the SQLite database.
It returns the current object. If an error occurred, it will return
"undef" and set an error
Supported options are:
* "log_sql"
String. This specifies a file name that will be opened in append
mode and to which the SQL statements issued will be logged.
* "overwrite"
Boolean. If true, this will overwrite any existing data if the
specified SQLite database file already exists.
And if false, this will issue sql queries to perform upsert
<https://www.sqlite.org/lang_UPSERT.html> if the SQLite version is
greater or equal to 3.24.0 (2018-06-04), or otherwise it will issue
INSERT OR REPLACE <https://www.sqlite.org/lang_insert.html> queries.
Default false.
* "rollback"
Boolean. If true, this will cancel, i.e. rollback, any change mad to
the SQLite database upon error, otherwise, any change made will be
kept up to the point of when the error occurred. Default to false.
* "skip_discard"
Boolean. If true, this will not save cookies that have been marked
as being discarded, such as session cookies. Default false.
* "skip_expired"
Boolean. If true, this will not save the cookies that have already
expired. Default false.
* "sqlite"
String. The file path to a "sqlite3" binary. If the file path does
not exist, or is lacking sufficient permission, this will return an
error.
If it is not provided, and using DBI and DBD::SQLite failed, it will
try to find the "sqlite3" using "which" in File::Which
* "use_dbi"
Boolean. Requires the use of DBI and DBD::SQLite and it will return
an error if those are not installed.
If you want to let this method try also to use "sqlite3" binary if
necessary, then do not set this option.
save_as_netscape
Provided with a file and this saves the cookies repository as a
Netscape-style data.
It returns the current object. If an error occurred, it will return
"undef" and set an error
scan
This is an alias for "do"
secret
String. Sets or gets the secret string to use for decrypting or
encrypting the cookie jar. This is used in conjonction with "file",
"encrypt" and "algo"
set
Given a cookie object, and an optional hash or hash reference of
parameters, and this will add the cookie to the outgoing http headers
using the "Set-Cookie" http header. To do so, it uses the
Apache2::RequestRec value set in "request", if any, or a HTTP::Response
compatible response object provided with the "response" parameter.
$jar->set( $c, response => $http_response_object ) ||
die( $jar->error );
Ultimately if none of those two are provided it returns the "Set-Cookie"
header as a string.
# Returns something like:
# Set-Cookie: my-cookie=somevalue
print( STDOUT $jar->set( $c ), "\015\012" );
Unless the latter, this method returns the current object.
type
String. Sets or gets the cookie jar file format type. The supported
formats are: "json", "lwp" and "netscape"
IMPORTING COOKIES
To import cookies, you can either use the methods scan from
HTTP::Cookies, such as:
use Cookie::Jar;
use HTTP::Cookies;
my $jar = Cookie::Jar->new;
my $old = HTTP::Cookies->new;
$old->load( '/home/joe/old_cookies_file.txt' );
my @keys = qw( version key val path domain port path_spec secure expires discard hash );
$old->scan(sub
{
my @values = @_;
my $ref = {};
@$ref{ @keys } = @values;
my $c = Cookie->new;
$c->apply( $ref ) || die( $c->error );
$jar->add( $c );
});
printf( "%d cookies now in our repository.\n", $jar->repo->length );
or you could also load a cookie file. Cookie::Jar supports LWP format
and old Netscape format:
$jar->load_as_lwp( '/home/joe/lwp_cookies.txt' );
$jar->load_as_netscape( '/home/joe/netscape_cookies.txt' );
And of course, if you are using Cookie::Jar json cookies file, you can
import them with:
$jar->load( '/home/joe/cookies.json' );
ENCRYPTION
This package supports encryption and decryption of cookies file, and
also the cookies values themselve.
See methods "save" and "load" for encryption options and the Cookie
package for options to encrypt or sign cookies value.
INSTALLATION
As usual, to install this module, you can do:
perl Makefile.PL
make
make test
sudo make install
If you have Apache/modperl2 installed, this will also prepare the
Makefile and run test under modperl.
The Makefile.PL tries hard to find your Apache configuration, but you
can give it a hand by specifying some command line parameters. See
Apache::TestMM for available parameters or you can type on the command
line:
perl -MApache::TestConfig -le 'Apache::TestConfig::usage()'
For example:
perl Makefile.PL -apxs /usr/bin/apxs -port 1234
# which will also set the path to httpd_conf, otherwise
perl Makefile.PL -httpd_conf /etc/apache2/apache2.conf
# then
make
make test
sudo make install
See also modperl testing documentation
<https://perl.apache.org/docs/general/testing/testing.html>
But, if for some reason, you do not want to perform the mod_perl tests,
you can use "NO_MOD_PERL=1" when calling "perl Makefile.PL", such as:
NO_MOD_PERL=1 perl Makefile.PL
make
make test
sudo make install
AUTHOR
Jacques Deguest <jack@deguest.jp>
SEE ALSO
Cookie, Cookie::Domain, Apache2::Cookies, APR::Request::Cookie,
Cookie::Baker
Latest tentative version of the cookie standard
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09>
Mozilla documentation on Set-Cookie
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie>
Information on double submit cookies
<https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forge
ry_Prevention_Cheat_Sheet.html#double-submit-cookie>
COPYRIGHT & LICENSE
Copyright (c) 2019-2019 DEGUEST Pte. Ltd.
You can use, copy, modify and redistribute this package and associated
files under the same terms as Perl itself.