--
Reviewed-by: Paulo Vital <pvital(a)linux.vnet.ibm.com>
On Fri, 2014-04-25 at 00:43 -0300, Aline Manera wrote:
From: Aline Manera <alinefm(a)br.ibm.com>
Since this cookie does not contain the "secure" attribute, it might also
be sent to the site during an unencrypted session. Any information such
as cookies, session tokens or user credentials that are sent to the
server as clear text, may be stolen and used later for identity theft or
user impersonation.
Fix it.
Signed-off-by: Aline Manera <alinefm(a)br.ibm.com>
---
src/kimchi/config.py.in | 1 +
tests/test_config.py.in | 1 +
ui/js/src/kimchi.cookie.js | 1 +
3 files changed, 3 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f8a645a..da89e3a 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -172,6 +172,7 @@ class KimchiConfig(dict):
'tools.nocache.on': True,
'tools.sessions.on': True,
'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
diff --git a/tests/test_config.py.in b/tests/test_config.py.in
index 9654016..cf89fa3 100644
--- a/tests/test_config.py.in
+++ b/tests/test_config.py.in
@@ -97,6 +97,7 @@ class ConfigTests(unittest.TestCase):
'tools.nocache.on': True,
'tools.sessions.on': True,
'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js
index d63fb97..2a69407 100644
--- a/ui/js/src/kimchi.cookie.js
+++ b/ui/js/src/kimchi.cookie.js
@@ -18,6 +18,7 @@
kimchi.cookie = {
set: function(key, value, expireDays) {
value = encodeURIComponent(value);
+ value += '; secure'
if (expireDays) {
var expireDate = new Date();
expireDate.setDate(expireDate.getDate() + expireDays);