Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 8168:3f0f4746dc7e
issue2551370 - prefix session cookie with __Secure- over https
Limit use of roundup session cookie to HTTPS protocol by adding
__Secure- prefix. Automatic testing includes http behavior only.
Https behavious has been manually tested only. Need to be able to spin
up an https server using wsgiref to test https behavior in CI.
issue 2551373 opened to track automatic testing of https behavior.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 26 Nov 2024 17:11:13 -0500 |
| parents | 800c8dd75051 |
| children | 2967f37e73e4 |
comparison
equal
deleted
inserted
replaced
| 8167:eaec1297a142 | 8168:3f0f4746dc7e |
|---|---|
| 131 <tal:block metal:use-macro="templates/page/macros/frame"> | 131 <tal:block metal:use-macro="templates/page/macros/frame"> |
| 132 | 132 |
| 133 at the top of both files. The icing macro used in other tracker | 133 at the top of both files. The icing macro used in other tracker |
| 134 templates was renamed to frame in this tracker template. | 134 templates was renamed to frame in this tracker template. |
| 135 | 135 |
| 136 More secure session cookie handling (info) | |
| 137 ------------------------------------------ | |
| 138 | |
| 139 This affects you if you are accessing a tracker via https. The name | |
| 140 for the cookie that you get when logging into the web interface has a | |
| 141 new name. When upgrading to Roundup 2.5 all users will have to to log | |
| 142 in again. The cookie now has a ``__Secure-`` prefix to prevent it | |
| 143 from being exposed/used over http. | |
| 144 | |
| 145 If your tracker is using the unencrypted http protocol, nothing has | |
| 146 changed. | |
| 147 | |
| 148 See | |
| 149 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes | |
| 150 for details on this security measure. | |
| 136 | 151 |
| 137 | 152 |
| 138 .. index:: Upgrading; 2.3.0 to 2.4.0 | 153 .. index:: Upgrading; 2.3.0 to 2.4.0 |
| 139 | 154 |
| 140 Migrating from 2.3.0 to 2.4.0 | 155 Migrating from 2.3.0 to 2.4.0 |
