Cooke, Mark wrote: > ~ are the session IDs at least 64-bits of random data?
- Anonymous session cookies have 24 hex digits = 96 bits of random data: http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=189#L184 - Authentication cookies have 32 hex digits = 128 bits of random data: http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=172#L161 http://trac.edgewall.org/browser/trunk/trac/util/__init__.py?rev=10841&marks=621#L619 > ~ does a session timeout and is the period configurable? - Anonymous session cookies expire after 90 days of inactivity, and this timeout is not configurable: http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=200,204#L200 http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=35#L33 - Authentication cookies expire when closing the browser by default, but this can be configured with the [trac] auth_cookie_lifetime option in trac.ini: http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=184-185#L179 http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=69#L68 > ~ are the `secure` and `http_only` flags set for cookies? - The "secure" flag is not set by default, but this can be configured with the [trac] secure_cookies option in trac.ini: http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=182-183#L179 http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=205-206#L200 http://trac.edgewall.org/browser//trunk/trac/env.py?rev=10812&marks=169-175#L168 - We don't currently support the "http_only" flag. I thought we had an enhancement request for that, but I can't find it, so it looks like we don't. We would certainly accept a good patch that adds this functionality (it's fairly simple to do, and doesn't have to be configurable AFAICT). -- Remy
signature.asc
Description: OpenPGP digital signature
