misc: add httponly/secure flags on session cookie (#11275)
This commit is contained in:
parent
367745e4bb
commit
a9b8c3af0c
|
@ -2719,3 +2719,19 @@ def test_display_message(pub):
|
|||
assert 'message-to-submitter' in page.body
|
||||
assert 'message-to-nobody' not in page.body
|
||||
assert 'message-to-xxx-and-submitter' in page.body
|
||||
|
||||
def test_session_cookie_flags(pub):
|
||||
formdef = create_formdef()
|
||||
app = get_app(pub)
|
||||
resp = app.get('/test/', status=200)
|
||||
resp = resp.form.submit('submit')
|
||||
assert resp.headers['Set-Cookie'].startswith('wcs-')
|
||||
assert 'httponly' in resp.headers['Set-Cookie']
|
||||
assert not 'secure' in resp.headers['Set-Cookie']
|
||||
|
||||
app = get_app(pub, https=True)
|
||||
resp = app.get('/test/', status=200)
|
||||
resp = resp.form.submit('submit')
|
||||
assert resp.headers['Set-Cookie'].startswith('wcs-')
|
||||
assert 'httponly' in resp.headers['Set-Cookie']
|
||||
assert 'secure' in resp.headers['Set-Cookie']
|
||||
|
|
|
@ -148,9 +148,11 @@ def clean_temporary_pub():
|
|||
pass
|
||||
known_elements.sql_db_name = None
|
||||
|
||||
def get_app(pub):
|
||||
return TestApp(QWIP(pub), extra_environ={
|
||||
'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'})
|
||||
def get_app(pub, https=False):
|
||||
extra_environ = {'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'}
|
||||
if https:
|
||||
extra_environ['HTTPS'] = 'on'
|
||||
return TestApp(QWIP(pub), extra_environ=extra_environ)
|
||||
|
||||
def login(app, username='admin', password='admin'):
|
||||
login_page = app.get('/login/')
|
||||
|
|
|
@ -436,8 +436,11 @@ class QommonPublisher(Publisher):
|
|||
self.logger.error_email = debug_cfg.get('error_email')
|
||||
self.config.display_exceptions = debug_cfg.get('display_exceptions')
|
||||
self.config.form_tokens = True
|
||||
self.config.session_cookie_httponly = True
|
||||
|
||||
if request:
|
||||
if request.get_scheme() == 'https':
|
||||
self.config.session_cookie_secure = True
|
||||
canonical_hostname = request.get_server(clean = False).lower().split(':')[0].rstrip('.')
|
||||
if canonical_hostname.count('.') >= 2 and self.etld:
|
||||
try:
|
||||
|
|
Loading…
Reference in New Issue