[PATCH] middleware: use secure cookies over secure connections

Andrew Shadura andrew at shadura.me
Fri Mar 6 10:26:42 EST 2015


Hi,

On 6 March 2015 at 16:17, Mads Kiilerich <mads at kiilerich.com> wrote:
>> Use our own wrapper around Beaker's SessionMiddleware class to
>> give secure cookies over HTTPS connections.

> It would also be nice to have a clear statement of what problem this is
> solving. There was no way to flag cookies as "secure" when using https? In
> which scenarios would that be a problem ... and how big?

There's no way in Beaker to dynamically add secure flag depending on
where the request comes from. We definitely don't want secure cookies
when we don't have HTTPS, and when we do, we probably want secure
cookies.

> I assume it would be better to use plain Beaker for this ... but I assume
> you have tried and researched and concluded that this was the best way to do
> it? Please you share your findings - perhaps as a comment in
> sessionmiddleware.py or in the commit message. Is it a bug or
> not-yet-implemented feature or philosophical disagreement?

It currently just accepts it as an always set option, so you can
either enable it for all connections or disable in globally.

>> +:created_on: March 04, 2015
>> +:author: andrewsh
>> +:copyright: (c) 2015 Andrew Shadura
>> +:license: GPLv3, see LICENSE.md for more details.
>> +"""

> Unless it already has been fixed / contributed upstream, the license of this
> could perhaps be made compatible with upstream so they can take it back?

There are just two lines of code worth copying upstream
(questionable), so I don't think it's copyrightable.

>> +        super(SessionMiddleware, self).__init__(wrap_app, config,
>> +            environ_key, **kwargs)
>> +        self.options["secure"] = False
>> +        # self.options["httponly"] = True

> I guess this either should be removed or have a comment to explain what the
> purpose is and when it can be useful?

This is a line of code I thought of including, but I'm not sure how it
would interact with the rest of changes I have planned, so I just kept
it here for the reference (or as an example of what else can be done
here).

-- 
Cheers,
  Andrew


More information about the kallithea-general mailing list