Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 4586:b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Fixes issue2550689, but is untested if this really works in browsers.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Thu, 23 Feb 2012 14:55:35 +0100 |
| parents | 941681fec1b0 |
| children | 4f9c3858b671 |
comparison
equal
deleted
inserted
replaced
| 4585:033a550812fc | 4586:b21bb66de6ff |
|---|---|
| 293 # save off the path | 293 # save off the path |
| 294 self.path = env['PATH_INFO'] | 294 self.path = env['PATH_INFO'] |
| 295 | 295 |
| 296 # this is the base URL for this tracker | 296 # this is the base URL for this tracker |
| 297 self.base = self.instance.config.TRACKER_WEB | 297 self.base = self.instance.config.TRACKER_WEB |
| 298 | |
| 299 # should cookies be secure? | |
| 300 self.secure = self.base.startswith ('https') | |
| 298 | 301 |
| 299 # check the tracker_we setting | 302 # check the tracker_we setting |
| 300 if not self.base.endswith('/'): | 303 if not self.base.endswith('/'): |
| 301 self.base = self.base + '/' | 304 self.base = self.base + '/' |
| 302 | 305 |
| 1473 | 1476 |
| 1474 for ((path, name), (value, expire)) in self._cookies.iteritems(): | 1477 for ((path, name), (value, expire)) in self._cookies.iteritems(): |
| 1475 cookie = "%s=%s; Path=%s;"%(name, value, path) | 1478 cookie = "%s=%s; Path=%s;"%(name, value, path) |
| 1476 if expire is not None: | 1479 if expire is not None: |
| 1477 cookie += " expires=%s;"%get_cookie_date(expire) | 1480 cookie += " expires=%s;"%get_cookie_date(expire) |
| 1481 # mark as secure if https, see issue2550689 | |
| 1482 if self.secure: | |
| 1483 cookie += " secure;" | |
| 1484 # prevent theft of session cookie, see issue2550689 | |
| 1485 cookie += " HttpOnly;" | |
| 1478 headers.append(('Set-Cookie', cookie)) | 1486 headers.append(('Set-Cookie', cookie)) |
| 1479 | 1487 |
| 1480 self._socket_op(self.request.start_response, headers, response) | 1488 self._socket_op(self.request.start_response, headers, response) |
| 1481 | 1489 |
| 1482 self.headers_done = 1 | 1490 self.headers_done = 1 |
| 1506 path = self.cookie_path | 1514 path = self.cookie_path |
| 1507 if not value: | 1515 if not value: |
| 1508 expire = -1 | 1516 expire = -1 |
| 1509 self._cookies[(path, name)] = (value, expire) | 1517 self._cookies[(path, name)] = (value, expire) |
| 1510 | 1518 |
| 1511 def set_cookie(self, user, expire=None): | |
| 1512 """Deprecated. Use session_api calls directly | |
| 1513 | |
| 1514 XXX remove | |
| 1515 """ | |
| 1516 | |
| 1517 # insert the session in the session db | |
| 1518 self.session_api.set(user=user) | |
| 1519 # refresh session cookie | |
| 1520 self.session_api.update(set_cookie=True, expire=expire) | |
| 1521 | |
| 1522 def make_user_anonymous(self): | 1519 def make_user_anonymous(self): |
| 1523 """ Make us anonymous | 1520 """ Make us anonymous |
| 1524 | 1521 |
| 1525 This method used to handle non-existence of the 'anonymous' | 1522 This method used to handle non-existence of the 'anonymous' |
| 1526 user, but that user is mandatory now. | 1523 user, but that user is mandatory now. |