changeset 5146:2df8a041ae90

change cookie_httponly default to False, makes trouble with TWikiDraw
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 16 Sep 2009 12:46:14 +0200
parents 262be8bcef0d
children e25e3a6042a8
files MoinMoin/config/multiconfig.py docs/CHANGES
diffstat 2 files changed, 6 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Mon Sep 14 22:28:57 2009 +0200
+++ b/MoinMoin/config/multiconfig.py	Wed Sep 16 12:46:14 2009 +0200
@@ -711,7 +711,7 @@
      "The session service."),
     ('cookie_secure', None,
      'Use secure cookie. (None = auto-enable secure cookie for https, True = ever use secure cookie, False = never use secure cookie).'),
-    ('cookie_httponly', True,
+    ('cookie_httponly', False,
      'Use a httponly cookie that can only be used by the server, not by clientside scripts.'),
     ('cookie_domain', None,
      'Domain used in the session cookie. (None = do not specify domain).'),
--- a/docs/CHANGES	Mon Sep 14 22:28:57 2009 +0200
+++ b/docs/CHANGES	Wed Sep 16 12:46:14 2009 +0200
@@ -154,7 +154,11 @@
       of the cookie in hours, accepting floats, for anon sessions and logged in
       sessions. Default is (0, 12). 0 means not to use a session cookie (== not
       to establish a session) and makes only sense for anon users.
-  * cfg.cookie_httponly is new and defaults to True.
+  * cfg.cookie_httponly is new and defaults to False. Please note that if you
+    set it to True, TWikiDraw and similar stuff won't be able to use the session
+    cookie. Thus, if your wiki page doesn't allow writing for everybody, saving
+    a drawing will fail, because there is no session (== no logged in user) for
+    the TWikiDraw applet's saving POSTs.
 
   Removed features:
   * Removed cfg.traceback_* settings (use logging configuration)