Ticket #130 (new enhancement)

Opened 5 years ago

Last modified 13 months ago

signed cookeis can not be cross-used with SSL and non-SSL sites.

Reported by: martinpaljak Owned by: ianb
Priority: normal Milestone:
Component: paste Version: svn-trunk
Severity: major Keywords: ssl signed cookies spammed
Cc:

Description

My usage scenario is like this:

User logs on via SSL with smart card authentication. As some parts of the site do not require end-to-end ssl authentication and integrity, I want to use signed cookies that are set on the SSL site and re-used in both the http as well as https space. To achieve this, i created the following patch for paste (attached)

Attachments

paste.diff Download (2.0 KB) - added by martinpaljak 5 years ago.
Patch with docstring addition

Change History

Changed 5 years ago by ianb

I'm a little confused about what "universal" really means. The patch is simple enough, but the effect of universal=True isn't clear to me.

Can you include a docstring addition to explain the meaning?

Changed 5 years ago by ianb

  • milestone 1.1 deleted

Changed 5 years ago by martinpaljak

Patch with docstring addition

Changed 5 years ago by martinpaljak

maybe the name 'universal' is not the best. It controls if the cookie shall be 'universal' meaning usable on both secucre and non-secure sites. If the 'secure' flag is set then rfc2109 forbids sending the cookie via 'unsecure' (meaning non-ssl in real life) channels.

Changed 4 years ago by ghazel

Perhaps the parameter should just be called "secure" or "notsecure", then. Anyway, we hack around this on our site too, so +1 to this being included in some fashion.

Changed 4 years ago by ianb

  • keywords spammed added
Note: See TracTickets for help on using tickets.