Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 4586:b21bb66de6ff
Mark cookies HttpOnly and -- if https is used -- secure.
Fixes issue2550689, but is untested if this really works in browsers.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Thu, 23 Feb 2012 14:55:35 +0100 |
| parents | 941681fec1b0 |
| children | 4f9c3858b671 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Tue Feb 07 14:39:02 2012 +0100 +++ b/roundup/cgi/client.py Thu Feb 23 14:55:35 2012 +0100 @@ -296,6 +296,9 @@ # this is the base URL for this tracker self.base = self.instance.config.TRACKER_WEB + # should cookies be secure? + self.secure = self.base.startswith ('https') + # check the tracker_we setting if not self.base.endswith('/'): self.base = self.base + '/' @@ -1475,6 +1478,11 @@ cookie = "%s=%s; Path=%s;"%(name, value, path) if expire is not None: cookie += " expires=%s;"%get_cookie_date(expire) + # mark as secure if https, see issue2550689 + if self.secure: + cookie += " secure;" + # prevent theft of session cookie, see issue2550689 + cookie += " HttpOnly;" headers.append(('Set-Cookie', cookie)) self._socket_op(self.request.start_response, headers, response) @@ -1508,17 +1516,6 @@ expire = -1 self._cookies[(path, name)] = (value, expire) - def set_cookie(self, user, expire=None): - """Deprecated. Use session_api calls directly - - XXX remove - """ - - # insert the session in the session db - self.session_api.set(user=user) - # refresh session cookie - self.session_api.update(set_cookie=True, expire=expire) - def make_user_anonymous(self): """ Make us anonymous