Fix auth_tkt plugin to add "secure" to cookies when it is configured with
secure=True. Before this was not added meaning that cookies could be sent
by the browser over insecure channels.
| | |
| | | - Fix auth_tkt plugin to not hand over tokens as strings to paste. See |
| | | http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html |
| | | |
| | | - Fix auth_tkt plugin to add "secure" to cookies when it is configured with |
| | | secure=True. Before this was not added meaning that cookies could be sent |
| | | by the browser over insecure channels. |
| | | |
| | | - Avoid propagating unicode 'max_age' value into cookie headers. See |
| | | https://bugs.launchpad.net/bugs/674123 . |
| | | |
| | |
| | | else: |
| | | max_age = '' |
| | | |
| | | secure = '' |
| | | if self.secure: |
| | | secure = '; secure' |
| | | |
| | | cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME')) |
| | | wild_domain = '.' + cur_domain |
| | | cookies = [ |
| | | ('Set-Cookie', '%s="%s"; Path=/%s' % ( |
| | | self.cookie_name, value, max_age)), |
| | | ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s' % ( |
| | | self.cookie_name, value, cur_domain, max_age)), |
| | | ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s' % ( |
| | | self.cookie_name, value, wild_domain, max_age)) |
| | | ('Set-Cookie', '%s="%s"; Path=/%s%s' % ( |
| | | self.cookie_name, value, max_age, secure)), |
| | | ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % ( |
| | | self.cookie_name, value, cur_domain, max_age, secure)), |
| | | ('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % ( |
| | | self.cookie_name, value, wild_domain, max_age, secure)) |
| | | ] |
| | | return cookies |
| | | |
| | |
| | | 'userdata':'userdata'}) |
| | | self.assertEqual(result, None) |
| | | |
| | | def test_remember_creds_secure(self): |
| | | plugin = self._makeOne('secret', secure=True) |
| | | val = self._makeTicket(userid='userid', secure=True) |
| | | environ = self._makeEnviron() |
| | | result = plugin.remember(environ, {'repoze.who.userid':'userid', |
| | | 'userdata':'userdata'}) |
| | | self.assertEqual(len(result), 3) |
| | | self.assertEqual(result[0], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; secure' % val)) |
| | | self.assertEqual(result[1], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; Domain=localhost; secure' |
| | | % val)) |
| | | self.assertEqual(result[2], |
| | | ('Set-Cookie', |
| | | 'auth_tkt="%s"; Path=/; Domain=.localhost; secure' |
| | | % val)) |
| | | |
| | | def test_remember_creds_different(self): |
| | | plugin = self._makeOne('secret') |
| | | old_val = self._makeTicket(userid='userid') |