[Kimchi-devel] [PATCH V2] bug fix: Use secure cookies
Aline Manera
alinefm at linux.vnet.ibm.com
Fri Apr 25 03:43:15 UTC 2014
From: Aline Manera <alinefm at br.ibm.com>
Since this cookie does not contain the "secure" attribute, it might also
be sent to the site during an unencrypted session. Any information such
as cookies, session tokens or user credentials that are sent to the
server as clear text, may be stolen and used later for identity theft or
user impersonation.
Fix it.
Signed-off-by: Aline Manera <alinefm at br.ibm.com>
---
src/kimchi/config.py.in | 1 +
tests/test_config.py.in | 1 +
ui/js/src/kimchi.cookie.js | 1 +
3 files changed, 3 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f8a645a..da89e3a 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -172,6 +172,7 @@ class KimchiConfig(dict):
'tools.nocache.on': True,
'tools.sessions.on': True,
'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
diff --git a/tests/test_config.py.in b/tests/test_config.py.in
index 9654016..cf89fa3 100644
--- a/tests/test_config.py.in
+++ b/tests/test_config.py.in
@@ -97,6 +97,7 @@ class ConfigTests(unittest.TestCase):
'tools.nocache.on': True,
'tools.sessions.on': True,
'tools.sessions.name': 'kimchi',
+ 'tools.sessions.secure': True,
'tools.sessions.httponly': True,
'tools.sessions.locking': 'explicit',
'tools.sessions.storage_type': 'ram',
diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js
index d63fb97..2a69407 100644
--- a/ui/js/src/kimchi.cookie.js
+++ b/ui/js/src/kimchi.cookie.js
@@ -18,6 +18,7 @@
kimchi.cookie = {
set: function(key, value, expireDays) {
value = encodeURIComponent(value);
+ value += '; secure'
if (expireDays) {
var expireDate = new Date();
expireDate.setDate(expireDate.getDate() + expireDays);
--
1.7.10.4
More information about the Kimchi-devel
mailing list