aboutsummaryrefslogtreecommitdiffstats
path: root/mediagoblin/tools/session.py
diff options
context:
space:
mode:
authorElrond <elrond+mediagoblin.org@samba-tng.org>2013-04-09 22:49:11 +0200
committerElrond <elrond+mediagoblin.org@samba-tng.org>2013-04-09 22:49:11 +0200
commitb0ee3aae91fa49b25b84dce20931e970639d17fe (patch)
treed972593ab4f2f6767c90b31644eb54289e1c95df /mediagoblin/tools/session.py
parent82a40cc4e145e4fdf5f81d7b6319cf713afa44c1 (diff)
downloadmediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.tar.lz
mediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.tar.xz
mediagoblin-b0ee3aae91fa49b25b84dce20931e970639d17fe.zip
Make session cookies more secure.
1. Our session cookies only need to be available to http, so mark them appropiately. 2. Send the cookie to the subpath for mediagoblin. And instantiate a session manager on the app, once.
Diffstat (limited to 'mediagoblin/tools/session.py')
-rw-r--r--mediagoblin/tools/session.py9
1 files changed, 6 insertions, 3 deletions
diff --git a/mediagoblin/tools/session.py b/mediagoblin/tools/session.py
index d452b851..64220ed9 100644
--- a/mediagoblin/tools/session.py
+++ b/mediagoblin/tools/session.py
@@ -58,10 +58,13 @@ class SessionManager(object):
except itsdangerous.BadData:
return Session()
- def save_session_to_cookie(self, session, response):
+ def save_session_to_cookie(self, session, request, response):
if not session.is_updated():
return
elif not session:
- response.delete_cookie(self.cookie_name)
+ response.delete_cookie(self.cookie_name,
+ path=request.environ['SCRIPT_NAME'])
else:
- response.set_cookie(self.cookie_name, self.signer.dumps(session))
+ response.set_cookie(self.cookie_name, self.signer.dumps(session),
+ path=request.environ['SCRIPT_NAME'],
+ httponly=True)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 21:55:06 +0000