diff options
| author | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-04-09 22:49:11 +0200 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-04-09 22:49:11 +0200 |
| commit | b0ee3aae91fa49b25b84dce20931e970639d17fe (patch) | |
| tree | d972593ab4f2f6767c90b31644eb54289e1c95df | |
| parent | 82a40cc4e145e4fdf5f81d7b6319cf713afa44c1 (diff) | |
| download | mediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.tar.lz mediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.tar.xz mediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.zip | |
Make session cookies more secure.
1. Our session cookies only need to be available to http, so
mark them appropiately.
2. Send the cookie to the subpath for mediagoblin.
And instantiate a session manager on the app, once.
| -rw-r--r-- | mediagoblin/app.py | 8 | ||||
| -rw-r--r-- | mediagoblin/tools/session.py | 9 |
2 files changed, 12 insertions, 5 deletions
diff --git a/mediagoblin/app.py b/mediagoblin/app.py index 2c772fe1..1137c0d7 100644 --- a/mediagoblin/app.py +++ b/mediagoblin/app.py @@ -73,6 +73,9 @@ class MediaGoblinApp(object): # Setup other connections / useful objects ########################################## + # Setup Session Manager, not needed in celery + self.session_manager = session.SessionManager() + # load all available locales setup_locales() @@ -157,7 +160,7 @@ class MediaGoblinApp(object): ## Attach utilities to the request object # Do we really want to load this via middleware? Maybe? - session_manager = session.SessionManager() + session_manager = self.session_manager request.session = session_manager.load_session_from_cookie(request) # Attach self as request.app # Also attach a few utilities from request.app for convenience? @@ -227,7 +230,8 @@ class MediaGoblinApp(object): response = render_http_exeption( request, e, e.get_description(environ)) - session_manager.save_session_to_cookie(request.session, response) + session_manager.save_session_to_cookie(request.session, + request, response) return response(environ, start_response) diff --git a/mediagoblin/tools/session.py b/mediagoblin/tools/session.py index d452b851..64220ed9 100644 --- a/mediagoblin/tools/session.py +++ b/mediagoblin/tools/session.py @@ -58,10 +58,13 @@ class SessionManager(object): except itsdangerous.BadData: return Session() - def save_session_to_cookie(self, session, response): + def save_session_to_cookie(self, session, request, response): if not session.is_updated(): return elif not session: - response.delete_cookie(self.cookie_name) + response.delete_cookie(self.cookie_name, + path=request.environ['SCRIPT_NAME']) else: - response.set_cookie(self.cookie_name, self.signer.dumps(session)) + response.set_cookie(self.cookie_name, self.signer.dumps(session), + path=request.environ['SCRIPT_NAME'], + httponly=True) |