From bc28d08af8e619a3e4db58d98a3187d77ac491f9 Mon Sep 17 00:00:00 2001
From: slava <slava@proofpoint.com>
Date: Mon, 12 Nov 2018 14:27:28 -0500
Subject: [PATCH] Add MellonCookieExpires to set cookie expiry time

Ability to make cookies live long then browser session
:
---
 README.md                             |  5 +++++
 auth_mellon.h                         |  3 +++
 auth_mellon_config.c                  | 13 +++++++++++++
 auth_mellon_cookie.c                  | 13 +++++++++++--
 doc/user_guide/mellon_user_guide.adoc |  6 ++++--
 5 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8d85b43..0a29609 100644
--- a/README.md
+++ b/README.md
@@ -216,6 +216,11 @@ MellonDiagnosticsEnable Off
         # Default: /
         MellonCookiePath /
 
+        # MellonCookieExpires seconds into the future the cookie will expire
+        # the date will be now() + MellonCookieExpires
+        # Default: Unset (Browser Session)
+        # MellonCookieExpires 86400
+
         # MellonCookieSameSite allows control over the SameSite value used
         # for the authentication cookie.
         # The setting accepts values of "Strict" or "Lax"
diff --git a/auth_mellon.h b/auth_mellon.h
index a10d2a4..e63d424 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -268,6 +268,9 @@ typedef struct am_dir_cfg_rec {
     /* Maximum number of seconds a session is valid for. */
     int session_length;
 
+    /* When cookie expires */
+    int cookie_expires;
+
     /* No cookie error page. */
     const char *no_cookie_error_page;
 
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 396ff1e..7e3f243 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -1426,6 +1426,14 @@ const command_rec auth_mellon_commands[] = {
         "Maximum number of seconds a session will be valid for. Defaults"
         " to 86400 seconds (1 day)."
         ),
+    AP_INIT_TAKE1(
+        "MellonCookieExpires",
+        ap_set_int_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, cookie_expires),
+        OR_AUTHCFG,
+        "Maximum number of seconds a cookie will be valid for"
+        "Defaults to browser session"
+        ),
     AP_INIT_TAKE1(
         "MellonNoCookieErrorPage",
         ap_set_string_slot,
@@ -1723,6 +1731,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     dir->endpoint_path = default_endpoint_path;
 
     dir->session_length = -1; /* -1 means use default. */
+    dir->cookie_expires = -1; /* -1 means use default. */
 
     dir->no_cookie_error_page = NULL;
     dir->no_success_error_page = NULL;
@@ -1897,6 +1906,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                                add_cfg->session_length :
                                base_cfg->session_length);
 
+    new_cfg->cookie_expires = (add_cfg->cookie_expires != -1 ?
+                               add_cfg->cookie_expires :
+                               base_cfg->cookie_expires);
+
     new_cfg->no_cookie_error_page = (add_cfg->no_cookie_error_page != NULL ?
                                      add_cfg->no_cookie_error_page :
                                      base_cfg->no_cookie_error_page);
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 445022f..55eafa2 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -59,6 +59,9 @@ static const char *am_cookie_params(request_rec *r)
     const char *cookie_domain = ap_get_server_name(r);
     const char *cookie_path = "/";
     const char *cookie_samesite = "";
+    const char *cookie_expires = "";
+    char rbuf[APR_RFC822_DATE_LEN + 1];
+    
     am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
 
     if (cfg->cookie_domain) {
@@ -78,12 +81,18 @@ static const char *am_cookie_params(request_rec *r)
     secure_cookie = cfg->secure;
     http_only_cookie = cfg->http_only;
 
+    if ( cfg->cookie_expires > -1 ) {
+      apr_rfc822_date(rbuf, apr_time_now() + (APR_USEC_PER_SEC * cfg->cookie_expires));
+      cookie_expires = apr_psprintf(r->pool, "; Expires=%s", rbuf);
+    }
+
     return apr_psprintf(r->pool,
-                        "Version=1; Path=%s; Domain=%s%s%s%s;",
+                        "Version=1; Path=%s; Domain=%s%s%s%s%s;",
                         cookie_path, cookie_domain,
                         http_only_cookie ? "; HttpOnly" : "",
                         secure_cookie ? "; secure" : "",
-                        cookie_samesite);
+                        cookie_samesite,
+                        cfg->cookie_expires > -1 ? cookie_expires : "");
 }
 
 
diff --git a/doc/user_guide/mellon_user_guide.adoc b/doc/user_guide/mellon_user_guide.adoc
index 9bee7d4..fea2816 100644
--- a/doc/user_guide/mellon_user_guide.adoc
+++ b/doc/user_guide/mellon_user_guide.adoc
@@ -1948,8 +1948,6 @@ validity period for a Mellon session is the lesser of the
 `MellonSessionLength` or the optional IdP `SessionNotOnOrAfter`
 attribute if the IdP supplied it.
 
-
-
 === Mellon Cookie [[mellon_cookie]]
 
 <<mellon_session>> information is communicated via a cookie. The
@@ -1977,6 +1975,10 @@ is found and it remains valid, Mellon immediately grants access. A
 Mellon session will expire, see <<mellon_session>> for information
 concerning session lifetime.
 
+MellonCookieExpires can change how long the cookie lives.  By default cookie
+lives as long as browser session, but using MellonCookieExpires directive
+it's possible to set cookie expiry that many seconds into the future
+
 == Working with SAML attributes and exporting values to web apps
 
 When you receive a SAML assertion authenticating a subject, the