WT-8531: remember-me not deleted when using websockets

HttpOnly cookies cannot be changed when using websockets, so always
use an HTTP request for updating cookies.

Author: korneel-emweb

src/web/WebRenderer.C

@@ -119,7 +119,7 @@ WebRenderer::WebRenderer(WebSession& session)
     currentStatelessSlotIsActuallyStateless_(true),
     formObjectsChanged_(true),
     updateLayout_(false),
-    multiSessionCookieUpdateNeeded_(false),
+    cookieUpdateNeeded_(false),
     learning_(false)
 { }
 
@@ -168,7 +168,7 @@ bool WebRenderer::isDirty() const
     || !collectedJS2_.empty()
     || !invisibleJS_.empty()
     || !wsRequestsToHandle_.empty()
-    || multiSessionCookieUpdateNeeded_;
+    || cookieUpdateNeeded_;
 }
 
 const WebRenderer::FormObjectsMap& WebRenderer::formObjects() const
@@ -508,6 +508,7 @@ void WebRenderer::setCookie(const std::string name, const std::string value,
 			    bool secure)
 {
   cookiesToSet_[name] = CookieValue(value, path, domain, expires, secure);
+  cookieUpdateNeeded_ = true;
 }
 
 void WebRenderer::setCaching(WebResponse& response, bool allowCache)
@@ -561,16 +562,15 @@ void WebRenderer::setHeaders(WebResponse& response, const std::string mimeType)
     else
       header << " Path=" << cookie.path << ';';
 
-    // a httponly cookie cannot be set using JavaScript
-    if (!response.isWebSocketMessage())
-      header << " httponly;";
+    header << " httponly;";
 
     if (cookie.secure)
       header << " secure;";
 
     response.addHeader("Set-Cookie", header.str());
   }
   cookiesToSet_.clear();
+  cookieUpdateNeeded_ = false;
 
 #ifndef WT_TARGET_JAVA
   const WServer *s = session_.controller()->server();
@@ -607,8 +607,10 @@ std::string WebRenderer::sessionUrl() const
 
 void WebRenderer::serveJavaScriptUpdate(WebResponse& response)
 {
-  setCaching(response, false);
-  setHeaders(response, "text/javascript; charset=UTF-8");
+  if (!response.isWebSocketMessage()) {
+    setCaching(response, false);
+    setHeaders(response, "text/javascript; charset=UTF-8");
+  }
 
   if (session_.sessionIdChanged_) {
     collectedJS1_ << session_.app()->javaScriptClass()
@@ -632,7 +634,7 @@ void WebRenderer::serveJavaScriptUpdate(WebResponse& response)
     out << collectedJS1_.str() << collectedJS2_.str();
 
     if (response.isWebSocketMessage()) {
-      renderMultiSessionCookieUpdate(out);
+      renderCookieUpdate(out);
       renderWsRequestsDone(out);
 
       LOG_DEBUG("jsSynced(false) after rendering websocket message");
@@ -669,12 +671,12 @@ void WebRenderer::updateMultiSessionCookie(const WebRequest &request)
             session_.env().urlScheme() == "https");
 }
 
-void WebRenderer::renderMultiSessionCookieUpdate(WStringStream &out)
+void WebRenderer::renderCookieUpdate(WStringStream &out)
 {
-  if (multiSessionCookieUpdateNeeded_) {
+  if (cookieUpdateNeeded_) {
     out << session_.app()->javaScriptClass()
-	<< "._p_.refreshCookie();";
-    multiSessionCookieUpdateNeeded_ = false;
+        << "._p_.refreshCookie();";
+    cookieUpdateNeeded_ = false;
   }
 }
 

src/web/WebRenderer.h

@@ -127,7 +127,7 @@ class WT_API WebRenderer : public Wt::SlotLearnerInterface
   bool updateLayout_;
 
   std::vector<int> wsRequestsToHandle_;
-  bool multiSessionCookieUpdateNeeded_;
+  bool cookieUpdateNeeded_;
 
   void setHeaders(WebResponse& request, const std::string mimeType);
   void setCaching(WebResponse& response, bool allowCache);
@@ -182,7 +182,7 @@ class WT_API WebRenderer : public Wt::SlotLearnerInterface
   void renderWsRequestsDone(WStringStream &out);
 
   void updateMultiSessionCookie(const WebRequest &request);
-  void renderMultiSessionCookieUpdate(WStringStream &out);
+  void renderCookieUpdate(WStringStream &out);
 
 public:
   virtual std::string learn(WStatelessSlot* slot) final override;

src/web/WebSession.C

@@ -1554,11 +1554,7 @@ void WebSession::handleRequest(Handler& handler)
             = handler.request()->getParameter("signal");
           bool isKeepAlive = requestE && signalE && *signalE == "keepAlive";
           if (isKeepAlive || !env_->ajax()) {
-            if (request.isWebSocketMessage()) {
-              renderer().multiSessionCookieUpdateNeeded_ = true;
-            } else {
-              renderer().updateMultiSessionCookie(request);
-            }
+            renderer().updateMultiSessionCookie(request);
           }
         }
 

src/web/WebSocketMessage.C

@@ -84,8 +84,7 @@ void WebSocketMessage::setContentLength(::int64_t length)
 void WebSocketMessage::addHeader(const std::string& name,
 				 const std::string& value)
 {
-  if (name == "Set-Cookie")
-    out() << "document.cookie=" << WWebWidget::jsStringLiteral(value) << ";";
+  error("addHeader(): not supported");
 }
 
 const char *WebSocketMessage::envValue(const char *name) const

src/web/skeleton/Wt.js

@@ -4060,7 +4060,7 @@ function bindGlobal(event, id, f) {
     }, 0);
 }
 
-function refreshMultiSessionCookie() {
+function refreshCookie() {
   comm.sendUpdate('request=jsupdate&signal=keepAlive&ackId=' + ackUpdateId, false, ackUpdateId, -1);
 }
 
@@ -4125,7 +4125,7 @@ this._p_ = {
   setConnectionMonitor : setConnectionMonitor,
   updateGlobal: updateGlobal,
   bindGlobal: bindGlobal,
-  refreshCookie: refreshMultiSessionCookie,
+  refreshCookie: refreshCookie,
 
   propagateSize : propagateSize,