[Kimchi-devel] [PATCH] bug fix: Use secure cookies
Paulo Ricardo Paz Vital
pvital at linux.vnet.ibm.com
Fri Apr 25 13:32:20 UTC 2014
--
Reviewed-by: Paulo Vital <pvital at linux.vnet.ibm.com>
On Fri, 2014-04-25 at 00:32 -0300, Aline Manera wrote:
> From: Aline Manera <alinefm at br.ibm.com>
>
> Since this cookie does not contain the "secure" attribute, it might also
> be sent to the site during an unencrypted session. Any information such
> as cookies, session tokens or user credentials that are sent to the
> server as clear text, may be stolen and used later for identity theft or
> user impersonation.
> Fix it.
>
> Signed-off-by: Aline Manera <alinefm at br.ibm.com>
> ---
> src/kimchi/config.py.in | 1 +
> ui/js/src/kimchi.cookie.js | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
> index f8a645a..da89e3a 100644
> --- a/src/kimchi/config.py.in
> +++ b/src/kimchi/config.py.in
> @@ -172,6 +172,7 @@ class KimchiConfig(dict):
> 'tools.nocache.on': True,
> 'tools.sessions.on': True,
> 'tools.sessions.name': 'kimchi',
> + 'tools.sessions.secure': True,
> 'tools.sessions.httponly': True,
> 'tools.sessions.locking': 'explicit',
> 'tools.sessions.storage_type': 'ram',
> diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js
> index d63fb97..2a69407 100644
> --- a/ui/js/src/kimchi.cookie.js
> +++ b/ui/js/src/kimchi.cookie.js
> @@ -18,6 +18,7 @@
> kimchi.cookie = {
> set: function(key, value, expireDays) {
> value = encodeURIComponent(value);
> + value += '; secure'
> if (expireDays) {
> var expireDate = new Date();
> expireDate.setDate(expireDate.getDate() + expireDays);
More information about the Kimchi-devel
mailing list