0001-misc-add-httponly-secure-flags-on-session-cookie-112.patch
tests/test_form_pages.py | ||
---|---|---|
2755 | 2755 |
assert 'message-to-submitter' in page.body |
2756 | 2756 |
assert 'message-to-nobody' not in page.body |
2757 | 2757 |
assert 'message-to-xxx-and-submitter' in page.body |
2758 | ||
2759 |
def test_session_cookie_flags(pub): |
|
2760 |
formdef = create_formdef() |
|
2761 |
app = get_app(pub) |
|
2762 |
resp = app.get('/test/', status=200) |
|
2763 |
resp = resp.form.submit('submit') |
|
2764 |
assert resp.headers['Set-Cookie'].startswith('wcs-') |
|
2765 |
assert 'httponly' in resp.headers['Set-Cookie'] |
|
2766 |
assert not 'secure' in resp.headers['Set-Cookie'] |
|
2767 | ||
2768 |
app = get_app(pub, https=True) |
|
2769 |
resp = app.get('/test/', status=200) |
|
2770 |
resp = resp.form.submit('submit') |
|
2771 |
assert resp.headers['Set-Cookie'].startswith('wcs-') |
|
2772 |
assert 'httponly' in resp.headers['Set-Cookie'] |
|
2773 |
assert 'secure' in resp.headers['Set-Cookie'] |
tests/utilities.py | ||
---|---|---|
148 | 148 |
pass |
149 | 149 |
known_elements.sql_db_name = None |
150 | 150 | |
151 |
def get_app(pub): |
|
152 |
return TestApp(QWIP(pub), extra_environ={ |
|
153 |
'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'}) |
|
151 |
def get_app(pub, https=False): |
|
152 |
extra_environ = {'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'} |
|
153 |
if https: |
|
154 |
extra_environ['HTTPS'] = 'on' |
|
155 |
return TestApp(QWIP(pub), extra_environ=extra_environ) |
|
154 | 156 | |
155 | 157 |
def login(app, username='admin', password='admin'): |
156 | 158 |
login_page = app.get('/login/') |
wcs/qommon/publisher.py | ||
---|---|---|
436 | 436 |
self.logger.error_email = debug_cfg.get('error_email') |
437 | 437 |
self.config.display_exceptions = debug_cfg.get('display_exceptions') |
438 | 438 |
self.config.form_tokens = True |
439 |
self.config.session_cookie_httponly = True |
|
439 | 440 | |
440 | 441 |
if request: |
442 |
if request.get_scheme() == 'https': |
|
443 |
self.config.session_cookie_secure = True |
|
441 | 444 |
canonical_hostname = request.get_server(clean = False).lower().split(':')[0].rstrip('.') |
442 | 445 |
if canonical_hostname.count('.') >= 2 and self.etld: |
443 | 446 |
try: |
444 |
- |