[Zope-CVS] CVS: Products/CookieCrumbler - CHANGES.txt:1.16 CookieCrumbler.py:1.24

Mon Jun 14 12:34:44 EDT 2004

Update of /cvs-repository/Products/CookieCrumbler
In directory cvs.zope.org:/tmp/cvs-serv17392

Modified Files:
	CHANGES.txt CookieCrumbler.py 
Log Message:
Secured cookies set in HTTPS mode.  Also updated CHANGES.


=== Products/CookieCrumbler/CHANGES.txt 1.15 => 1.16 ===

--- Products/CookieCrumbler/CHANGES.txt:1.15	Sat Apr 17 00:15:33 2004
+++ Products/CookieCrumbler/CHANGES.txt	Mon Jun 14 12:34:35 2004
@@ -1,14 +1,20 @@
 
-Next release
+After the next release
 
 - Added SessionCookieCrumber. This is a new object type that can be
   used as a replacement to CookieCrumber. Instead of storing usernames
   and passwords in a Cookie, they are instead stored on the server in
   the SESSION. This greatly improves security, but may complicate
   ZEO installations (as server affinity will be required, or the
-  session_data shared between all ZEO clients). All users will be 
+  session_data shared between all ZEO clients). All users will be
   logged out if the SESSION data store is cleared, for example
   when restarting a server that is storing SESSION data in RAM.
+
+
+Next release
+
+- Cookies set on an HTTPS connection are now marked as secure, meaning
+  they will not be transmitted over HTTP.
 
 - CookieCrumbler now lets you disable or modify the Cache-Control
   header to work around MSIE's irrational handling of the Cache-Control


=== Products/CookieCrumbler/CookieCrumbler.py 1.23 => 1.24 ===
--- Products/CookieCrumbler/CookieCrumbler.py:1.23	Sat Apr 17 00:15:33 2004
+++ Products/CookieCrumbler/CookieCrumbler.py	Mon Jun 14 12:34:36 2004
@@ -124,12 +124,18 @@
         return getattr(self, name, default)
 
     security.declarePrivate('defaultSetAuthCookie')
-    def defaultSetAuthCookie( self, resp, cookie_name, cookie_value ):
-        resp.setCookie( cookie_name, cookie_value, path=self.getCookiePath())
+    def defaultSetAuthCookie(self, resp, cookie_name, cookie_value):
+        kw = {}
+        req = getattr(self, 'REQUEST', None)
+        if req is not None and req.get('SERVER_URL', '').startswith('https:'):
+            # Ask the client to send back the cookie only in SSL mode
+            kw['secure'] = 'y'
+        resp.setCookie(cookie_name, cookie_value,
+                       path=self.getCookiePath(), **kw)
 
     security.declarePrivate('defaultExpireAuthCookie')
-    def defaultExpireAuthCookie( self, resp, cookie_name ):
-        resp.expireCookie( cookie_name, path=self.getCookiePath())
+    def defaultExpireAuthCookie(self, resp, cookie_name):
+        resp.expireCookie(cookie_name, path=self.getCookiePath())
 
     security.declarePrivate('modifyRequest')
     def modifyRequest(self, req, resp):


