Bug #2069
Use the SSL only flag for cookies
| Status: | Closed | Start date: | 02/20/2012 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | Sofia Papagiannaki | % Done: | 0% |
|
| Category: | Astakos | Spent time: | - | |
| Target version: | - |
Description
Make sure any stored cookies are only accessible over HTTPS,
by passing secure=True to response.set_cookie.
Please investigate whether SESSION_COOKIE_SECURE should also be set.
This could be optional behavior, to ease development, but please make
sure a relevant setting exists, and the default is to have cookies
be HTTPS only.
Interesting presentation, sent by azisi:
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
Associated revisions
secure cookies
Refs: #2069
secure cookies
Refs: #2069
Use option for secure cookie.
Refs #2069
Use option for secure cookie.
Refs #2069
History
#1 Updated by Antony Chazapis about 12 years ago
- Status changed from Assigned to Closed
- Target version changed from 0.9.0 (beta) to 0.3.0
#2 Updated by Vangelis Koukis about 12 years ago
- Status changed from Closed to Assigned
- Target version changed from 0.3.0 to 0.4.0
reopening, the implementation must be amended to set SESSION_COOKIE_SECURE=True by default.
#3 Updated by Sofia Papagiannaki about 12 years ago
- Target version changed from 0.4.0 to 0.5.0
#4 Updated by Sofia Papagiannaki about 12 years ago
- Target version changed from 0.5.0 to 0.4.0
#5 Updated by Sofia Papagiannaki about 12 years ago
- Status changed from Assigned to Closed
this requirement has been added in snf-webproject
#6 Updated by Vangelis Koukis about 11 years ago
- Project changed from astakos to Synnefo
- Target version deleted (
0.4.0)
#7 Updated by Vangelis Koukis about 11 years ago
- Category set to Astakos