[Kimchi-devel] [PATCH V2] bug fix: Use secure cookies

Paulo Ricardo Paz Vital pvital at linux.vnet.ibm.com
Fri Apr 25 13:32:45 UTC 2014 

-- 
Reviewed-by: Paulo Vital <pvital at linux.vnet.ibm.com>


On Fri, 2014-04-25 at 00:43 -0300, Aline Manera wrote:
> From: Aline Manera <alinefm at br.ibm.com>
> 
> Since this cookie does not contain the "secure" attribute, it might also
> be sent to the site during an unencrypted session. Any information such
> as cookies, session tokens or user credentials that are sent to the
> server as clear text, may be stolen and used later for identity theft or
> user impersonation.
> Fix it.
> 
> Signed-off-by: Aline Manera <alinefm at br.ibm.com>
> ---
>  src/kimchi/config.py.in    |    1 +
>  tests/test_config.py.in    |    1 +
>  ui/js/src/kimchi.cookie.js |    1 +
>  3 files changed, 3 insertions(+)
> 
> diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
> index f8a645a..da89e3a 100644
> --- a/src/kimchi/config.py.in
> +++ b/src/kimchi/config.py.in
> @@ -172,6 +172,7 @@ class KimchiConfig(dict):
>                'tools.nocache.on': True,
>                'tools.sessions.on': True,
>                'tools.sessions.name': 'kimchi',
> +              'tools.sessions.secure': True,
>                'tools.sessions.httponly': True,
>                'tools.sessions.locking': 'explicit',
>                'tools.sessions.storage_type': 'ram',
> diff --git a/tests/test_config.py.in b/tests/test_config.py.in
> index 9654016..cf89fa3 100644
> --- a/tests/test_config.py.in
> +++ b/tests/test_config.py.in
> @@ -97,6 +97,7 @@ class ConfigTests(unittest.TestCase):
>                    'tools.nocache.on': True,
>                    'tools.sessions.on': True,
>                    'tools.sessions.name': 'kimchi',
> +                  'tools.sessions.secure': True,
>                    'tools.sessions.httponly': True,
>                    'tools.sessions.locking': 'explicit',
>                    'tools.sessions.storage_type': 'ram',
> diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js
> index d63fb97..2a69407 100644
> --- a/ui/js/src/kimchi.cookie.js
> +++ b/ui/js/src/kimchi.cookie.js
> @@ -18,6 +18,7 @@
>  kimchi.cookie = {
>      set: function(key, value, expireDays) {
>          value = encodeURIComponent(value);
> +        value += '; secure'
>          if (expireDays) {
>              var expireDate = new Date();
>              expireDate.setDate(expireDate.getDate() + expireDays);

More information about the Kimchi-devel mailing list