[Kimchi-devel] [PATCH] bug fix: Use secure cookies

Aline Manera alinefm at linux.vnet.ibm.com
Fri Apr 25 03:32:28 UTC 2014


From: Aline Manera <alinefm at br.ibm.com>

Since this cookie does not contain the "secure" attribute, it might also
be sent to the site during an unencrypted session. Any information such
as cookies, session tokens or user credentials that are sent to the
server as clear text, may be stolen and used later for identity theft or
user impersonation.
Fix it.

Signed-off-by: Aline Manera <alinefm at br.ibm.com>
---
 src/kimchi/config.py.in    |    1 +
 ui/js/src/kimchi.cookie.js |    1 +
 2 files changed, 2 insertions(+)

diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f8a645a..da89e3a 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -172,6 +172,7 @@ class KimchiConfig(dict):
               'tools.nocache.on': True,
               'tools.sessions.on': True,
               'tools.sessions.name': 'kimchi',
+              'tools.sessions.secure': True,
               'tools.sessions.httponly': True,
               'tools.sessions.locking': 'explicit',
               'tools.sessions.storage_type': 'ram',
diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js
index d63fb97..2a69407 100644
--- a/ui/js/src/kimchi.cookie.js
+++ b/ui/js/src/kimchi.cookie.js
@@ -18,6 +18,7 @@
 kimchi.cookie = {
     set: function(key, value, expireDays) {
         value = encodeURIComponent(value);
+        value += '; secure'
         if (expireDays) {
             var expireDate = new Date();
             expireDate.setDate(expireDate.getDate() + expireDays);
-- 
1.7.10.4




More information about the Kimchi-devel mailing list