Issue #251: Secure flag not set on cookie. (conservancy/kallithea)

Chris Wesseling issues-reply at bitbucket.org
Tue Nov 8 15:40:40 UTC 2016


New issue 251: Secure flag not set on cookie.
https://bitbucket.org/conservancy/kallithea/issues/251/secure-flag-not-set-on-cookie

Chris Wesseling:

I'm running 0.3.2 with apache in front of it to provide TLS.
I set these headers on the request to make clear to kallithea that it is being accessed securely:

        RequestHeader set X-FORWARDED-PROTOCOL https
        RequestHeader set X-FORWARDED-SSL on
        RequestHeader set X-URL-SCHEME https

And I even tried the advised (even though I don't understand how setting something in the apache env can have consequences on a backend that is only communicated with through http):

        SetEnvIf X-Url-Scheme https HTTPS=1

But the kallithea-cookie doesn't have the secure flag set (just the httponly flag):

Set-Cookie:kallithea=bf7e93[...cut...]db8ce7d9; httponly; Path=/

Is there something in the kallithea config that I should set?




More information about the kallithea-general mailing list