changeset 4084:be4cefe2a219

secure session cookies for https, cfg.cookie_secure
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Fri, 12 Sep 2008 22:01:46 +0200
parents d6a1f2c37f09
children afd75bb5f345 087eac1e1497
files MoinMoin/config/multiconfig.py MoinMoin/session.py
diffstat 2 files changed, 8 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Tue Sep 09 00:11:28 2008 +0200
+++ b/MoinMoin/config/multiconfig.py	Fri Sep 12 22:01:46 2008 +0200
@@ -281,6 +281,10 @@
     cookie_domain = None # use '.domain.tld" for a farm with hosts in that domain
     cookie_path = None   # use '/wikifarm" for a farm with pathes below that path
     cookie_lifetime = 12 # 12 hours from now
+    cookie_secure = None # a secure cookie is not transmitted over unsecure connection
+                         # None = auto-enable secure cookie for https
+                         # True = ever use secure cookie
+                         # False = never use secure cookie
 
     data_dir = './data/'
     data_underlay_dir = './underlay/'
--- a/MoinMoin/session.py	Tue Sep 09 00:11:28 2008 +0200
+++ b/MoinMoin/session.py	Fri Sep 12 22:01:46 2008 +0200
@@ -318,6 +318,10 @@
             cookie[cookie_name]['path'] = path
         # Set expires for older clients
         cookie[cookie_name]['expires'] = request.httpDate(when=expires, rfc='850')
+        # a secure cookie is not transmitted over unsecure connections:
+        if (cfg.cookie_secure or  # True means: force secure cookies
+            cfg.cookie_secure is None and request.is_ssl):  # None means: https -> secure cookie
+            cookie[cookie_name]['secure'] = True
         return cookie.output()
 
     def _set_cookie(self, request, cookie_string, expires):