RedHatTraining/repoze.who.git

When the auth_tkt plugin is passed secure=True, add HttpOnly to the cookie.

Brian Sutherland

2010-12-17 3b5782ea83aa8062754a9d983b15f87317ba6c1b

refs
author	Brian Sutherland <brian@vanguardistas.net>
	Friday, December 17, 2010 09:21 +0100
committer	Brian Sutherland <brian@vanguardistas.net>
	Friday, December 17, 2010 09:21 +0100
commit	3b5782ea83aa8062754a9d983b15f87317ba6c1b
tree	897fb0e02d976612912ab3e7010580152fdac99a tree \| zip \| gz
parent	d7e64797a8809c8321faf4bc08fceb8b56bdb547 view \| diff

When the auth_tkt plugin is passed secure=True, add HttpOnly to the cookie.

I'm not completely sure of this one, so adding it as a separate patch. It seems
reasonable in this case to always add the HttpOnly option whether secure is
True or False. But that may break sites needing to access the auth_tkt via JS.
But I cannot even imagine a sane usecase for that.

A third option would be to add an HttpOnly option to the plugin __init__ which
defaults to True.

3 files modified

	CHANGES.txt	7 ●●●●● diff \| view \| raw \| blame \| history
	repoze/who/plugins/auth_tkt.py	2 ●●●●● diff \| view \| raw \| blame \| history
	repoze/who/plugins/tests/test_authtkt.py	6 ●●●●● diff \| view \| raw \| blame \| history