parent: d7e64797 | patch | commit | ignore whitespace
Brian Sutherland
2010-12-17 3b5782ea83aa8062754a9d983b15f87317ba6c1b 
When the auth_tkt plugin is passed secure=True, add HttpOnly to the cookie.

I'm not completely sure of this one, so adding it as a separate patch. It seems
reasonable in this case to always add the HttpOnly option whether secure is
True or False. But that may break sites needing to access the auth_tkt via JS.
But I cannot even imagine a sane usecase for that.

A third option would be to add an HttpOnly option to the plugin __init__ which
defaults to True.

3 files modified
15 ■■■■ changed files
CHANGES.txt 7 ●●●●● patch | view | raw | blame | history
repoze/who/plugins/auth_tkt.py 2 ●●● patch | view | raw | blame | history
repoze/who/plugins/tests/test_authtkt.py 6 ●●●● patch | view | raw | blame | history 
 CHANGES.txt


@@ -12,9 +12,10 @@


- Fix auth_tkt plugin to not hand over tokens as strings to paste. See


  http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html




- Fix auth_tkt plugin to add "secure" to cookies when it is configured with


  secure=True. Before this was not added meaning that cookies could be sent


  by the browser over insecure channels.


- Fix auth_tkt plugin to add "secure" and "HttpOnly" to cookies when it is


  configured with secure=True. Before this was not added meaning that cookies


  could be sent by the browser over insecure channels and were vulnerable to some


  XSS attacks.




- Avoid propagating unicode 'max_age' value into cookie headers.  See


  https://bugs.launchpad.net/bugs/674123 .




 repoze/who/plugins/auth_tkt.py


@@ -172,7 +172,7 @@




        secure = ''


        if self.secure:


            secure = '; secure'


            secure = '; secure; HttpOnly'




        cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))


        wild_domain = '.' + cur_domain




 repoze/who/plugins/tests/test_authtkt.py


@@ -188,14 +188,14 @@


        self.assertEqual(len(result), 3)


        self.assertEqual(result[0],


                         ('Set-Cookie',


                          'auth_tkt="%s"; Path=/; secure' % val))


                          'auth_tkt="%s"; Path=/; secure; HttpOnly' % val))


        self.assertEqual(result[1],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=localhost; secure'


                           'auth_tkt="%s"; Path=/; Domain=localhost; secure; HttpOnly'


                            % val))


        self.assertEqual(result[2],


                         ('Set-Cookie',


                           'auth_tkt="%s"; Path=/; Domain=.localhost; secure'


                           'auth_tkt="%s"; Path=/; Domain=.localhost; secure; HttpOnly'


                            % val))




    def test_remember_creds_different(self):