When the auth_tkt plugin is passed secure=True, add HttpOnly to the cookie.
I'm not completely sure of this one, so adding it as a separate patch. It seems
reasonable in this case to always add the HttpOnly option whether secure is
True or False. But that may break sites needing to access the auth_tkt via JS.
But I cannot even imagine a sane usecase for that.
A third option would be to add an HttpOnly option to the plugin __init__ which
defaults to True.
| | |
| | | - Fix auth_tkt plugin to not hand over tokens as strings to paste. See |
| | | http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html |
| | | |
| | | - Fix auth_tkt plugin to add "secure" to cookies when it is configured with |
| | | secure=True. Before this was not added meaning that cookies could be sent |
| | | by the browser over insecure channels. |
| | | - Fix auth_tkt plugin to add "secure" and "HttpOnly" to cookies when it is |
| | | configured with secure=True. Before this was not added meaning that cookies |
| | | could be sent by the browser over insecure channels and were vulnerable to some |
| | | XSS attacks. |
| | | |
| | | - Avoid propagating unicode 'max_age' value into cookie headers. See |
| | | https://bugs.launchpad.net/bugs/674123 . |
| | |
| | | |
| | | secure = '' |
| | | if self.secure: |
| | | secure = '; secure' |
| | | secure = '; secure; HttpOnly' |
| | | |
| | | cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME')) |
| | | wild_domain = '.' + cur_domain |
| | |
| | | self.assertEqual(len(result), 3) |
| | | self.assertEqual(result[0], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; secure' % val)) |
| | | 'auth_tkt="%s"; Path=/; secure; HttpOnly' % val)) |
| | | self.assertEqual(result[1], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; Domain=localhost; secure' |
| | | 'auth_tkt="%s"; Path=/; Domain=localhost; secure; HttpOnly' |
| | | % val)) |
| | | self.assertEqual(result[2], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; Domain=.localhost; secure' |
| | | 'auth_tkt="%s"; Path=/; Domain=.localhost; secure; HttpOnly' |
| | | % val)) |
| | | |
| | | def test_remember_creds_different(self): |