> -----Original Message----- > From: [email protected] On Behalf Of Remy Blank > Sent: 14 November 2011 21:27 > To: [email protected] > Subject: Re: [Trac] Session validation / timeout > > Cooke, Mark wrote: > > ~ are the session IDs at least 64-bits of random data? > > - Anonymous session cookies have 24 hex digits = 96 bits of > random data: > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=189#L184 > > - Authentication cookies have 32 hex digits = 128 bits of > random data: > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=172#L161 > > http://trac.edgewall.org/browser/trunk/trac/util/__init__.py?rev=10841&marks=621#L619 > > > ~ does a session timeout and is the period configurable? > > - Anonymous session cookies expire after 90 days of inactivity, and > this timeout is not configurable: > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=200,204#L200 > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=35#L33 > > - Authentication cookies expire when closing the browser by default, > but this can be configured with the [trac] auth_cookie_lifetime option > in trac.ini: > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=184-185#L179 > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=69#L68 > > > ~ are the `secure` and `http_only` flags set for cookies? > > - The "secure" flag is not set by default, but this can be configured > with the [trac] secure_cookies option in trac.ini: > > http://trac.edgewall.org/browser/trunk/trac/web/auth.py?rev=10815&marks=182-183#L179 > > http://trac.edgewall.org/browser/trunk/trac/web/session.py?rev=10826&marks=205-206#L200 > > http://trac.edgewall.org/browser//trunk/trac/env.py?rev=10812&marks=169-175#L168 > > - We don't currently support the "http_only" flag. I thought > we had an enhancement request for that, but I can't find it, > so it looks like we don't. We would certainly accept a good > patch that adds this functionality (it's fairly simple to do, > and doesn't have to be configurable AFAICT). > Following up on this last point, you were right, there is both a ticket (with a comment bvy `rblank`) and a patch:-
http://trac.edgewall.org/ticket/10453 ...and in response to your comment "So, is this really useful?", surely "reduced" risk is better than otherwise? Why would we not apply the attribute to the session cookies? As you set the milestone to `next-major-0.1X` what is the chance this will make it into 0.13? Many thanks, ~ mark c -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
