Hi, On 6 March 2015 at 16:17, Mads Kiilerich <[email protected]> wrote: >> Use our own wrapper around Beaker's SessionMiddleware class to >> give secure cookies over HTTPS connections.
> It would also be nice to have a clear statement of what problem this is > solving. There was no way to flag cookies as "secure" when using https? In > which scenarios would that be a problem ... and how big? There's no way in Beaker to dynamically add secure flag depending on where the request comes from. We definitely don't want secure cookies when we don't have HTTPS, and when we do, we probably want secure cookies. > I assume it would be better to use plain Beaker for this ... but I assume > you have tried and researched and concluded that this was the best way to do > it? Please you share your findings - perhaps as a comment in > sessionmiddleware.py or in the commit message. Is it a bug or > not-yet-implemented feature or philosophical disagreement? It currently just accepts it as an always set option, so you can either enable it for all connections or disable in globally. >> +:created_on: March 04, 2015 >> +:author: andrewsh >> +:copyright: (c) 2015 Andrew Shadura >> +:license: GPLv3, see LICENSE.md for more details. >> +""" > Unless it already has been fixed / contributed upstream, the license of this > could perhaps be made compatible with upstream so they can take it back? There are just two lines of code worth copying upstream (questionable), so I don't think it's copyrightable. >> + super(SessionMiddleware, self).__init__(wrap_app, config, >> + environ_key, **kwargs) >> + self.options["secure"] = False >> + # self.options["httponly"] = True > I guess this either should be removed or have a comment to explain what the > purpose is and when it can be useful? This is a line of code I thought of including, but I'm not sure how it would interact with the rest of changes I have planned, so I just kept it here for the reference (or as an example of what else can be done here). -- Cheers, Andrew _______________________________________________ kallithea-general mailing list [email protected] http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
