misc: add httponly/secure flags on session cookie (#11275)

2016-06-11 13:29:35 +02:00 · 2016-06-11 13:29:35 +02:00 · a9b8c3af0c
parent 367745e4bb
commit a9b8c3af0c
3 changed files with 24 additions and 3 deletions
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@ -2719,3 +2719,19 @@ def test_display_message(pub):
    assert 'message-to-submitter' in page.body
    assert 'message-to-nobody' not in page.body
    assert 'message-to-xxx-and-submitter' in page.body
+
+def test_session_cookie_flags(pub):
+    formdef = create_formdef()
+    app = get_app(pub)
+    resp = app.get('/test/', status=200)
+    resp = resp.form.submit('submit')
+    assert resp.headers['Set-Cookie'].startswith('wcs-')
+    assert 'httponly' in resp.headers['Set-Cookie']
+    assert not 'secure' in resp.headers['Set-Cookie']
+
+    app = get_app(pub, https=True)
+    resp = app.get('/test/', status=200)
+    resp = resp.form.submit('submit')
+    assert resp.headers['Set-Cookie'].startswith('wcs-')
+    assert 'httponly' in resp.headers['Set-Cookie']
+    assert 'secure' in resp.headers['Set-Cookie']
--- a/tests/utilities.py
+++ b/tests/utilities.py
@ -148,9 +148,11 @@ def clean_temporary_pub():
            pass
        known_elements.sql_db_name = None

-def get_app(pub):
-    return TestApp(QWIP(pub), extra_environ={
-        'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'})
+def get_app(pub, https=False):
+    extra_environ = {'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'}
+    if https:
+        extra_environ['HTTPS'] = 'on'
+    return TestApp(QWIP(pub), extra_environ=extra_environ)

 def login(app, username='admin', password='admin'):
    login_page = app.get('/login/')
--- a/wcs/qommon/publisher.py
+++ b/wcs/qommon/publisher.py
@ -436,8 +436,11 @@ class QommonPublisher(Publisher):
        self.logger.error_email = debug_cfg.get('error_email')
        self.config.display_exceptions = debug_cfg.get('display_exceptions')
        self.config.form_tokens = True
+        self.config.session_cookie_httponly = True

        if request:
+            if request.get_scheme() == 'https':
+                self.config.session_cookie_secure = True
            canonical_hostname = request.get_server(clean = False).lower().split(':')[0].rstrip('.')
            if canonical_hostname.count('.') >= 2 and self.etld:
                try: