[Zope-CVS] CVS: Products/CookieCrumbler - CHANGES.txt:1.16
CookieCrumbler.py:1.24
Shane Hathaway
shane at zope.com
Mon Jun 14 12:34:44 EDT 2004
Update of /cvs-repository/Products/CookieCrumbler
In directory cvs.zope.org:/tmp/cvs-serv17392
Modified Files:
CHANGES.txt CookieCrumbler.py
Log Message:
Secured cookies set in HTTPS mode. Also updated CHANGES.
=== Products/CookieCrumbler/CHANGES.txt 1.15 => 1.16 ===
--- Products/CookieCrumbler/CHANGES.txt:1.15 Sat Apr 17 00:15:33 2004
+++ Products/CookieCrumbler/CHANGES.txt Mon Jun 14 12:34:35 2004
@@ -1,14 +1,20 @@
-Next release
+After the next release
- Added SessionCookieCrumber. This is a new object type that can be
used as a replacement to CookieCrumber. Instead of storing usernames
and passwords in a Cookie, they are instead stored on the server in
the SESSION. This greatly improves security, but may complicate
ZEO installations (as server affinity will be required, or the
- session_data shared between all ZEO clients). All users will be
+ session_data shared between all ZEO clients). All users will be
logged out if the SESSION data store is cleared, for example
when restarting a server that is storing SESSION data in RAM.
+
+
+Next release
+
+- Cookies set on an HTTPS connection are now marked as secure, meaning
+ they will not be transmitted over HTTP.
- CookieCrumbler now lets you disable or modify the Cache-Control
header to work around MSIE's irrational handling of the Cache-Control
=== Products/CookieCrumbler/CookieCrumbler.py 1.23 => 1.24 ===
--- Products/CookieCrumbler/CookieCrumbler.py:1.23 Sat Apr 17 00:15:33 2004
+++ Products/CookieCrumbler/CookieCrumbler.py Mon Jun 14 12:34:36 2004
@@ -124,12 +124,18 @@
return getattr(self, name, default)
security.declarePrivate('defaultSetAuthCookie')
- def defaultSetAuthCookie( self, resp, cookie_name, cookie_value ):
- resp.setCookie( cookie_name, cookie_value, path=self.getCookiePath())
+ def defaultSetAuthCookie(self, resp, cookie_name, cookie_value):
+ kw = {}
+ req = getattr(self, 'REQUEST', None)
+ if req is not None and req.get('SERVER_URL', '').startswith('https:'):
+ # Ask the client to send back the cookie only in SSL mode
+ kw['secure'] = 'y'
+ resp.setCookie(cookie_name, cookie_value,
+ path=self.getCookiePath(), **kw)
security.declarePrivate('defaultExpireAuthCookie')
- def defaultExpireAuthCookie( self, resp, cookie_name ):
- resp.expireCookie( cookie_name, path=self.getCookiePath())
+ def defaultExpireAuthCookie(self, resp, cookie_name):
+ resp.expireCookie(cookie_name, path=self.getCookiePath())
security.declarePrivate('modifyRequest')
def modifyRequest(self, req, resp):
More information about the Zope-CVS
mailing list