Files
@ 43ad9c3b7d5d
Branch filter:
Location: kallithea/CONTRIBUTORS - annotation
43ad9c3b7d5d
3.0 KiB
text/plain
middleware: use secure cookies over secure connections
HTTP cookie spec defines secure cookies, which are transmitted only over secure
connections (HTTPS). Using them helps protect against some attacks, but cookies
shouldn't be made secure when we don't have HTTPS configured. As it is now, it's
left at user's discretion, but probably it's a good idea to force secure cookies
when they can be used.
In the current implementation, cookies are issued to users before they actually
try to log in, on the first page load. So if that happens over HTTPS, it's
probably safe to assume secure cookies can be used, and to default to normal
"insecure" cookies if HTTPS isn't available.
It's not easy to sneak into Beaker's internals, and it doesn't support selective
secureness, so we use our own wrapper around Beaker's SessionMiddleware class to
give secure cookies over HTTPS connections. Beaker's built-in mechanism for
secure cookies is forced to add the flag when needed only.
HTTP cookie spec defines secure cookies, which are transmitted only over secure
connections (HTTPS). Using them helps protect against some attacks, but cookies
shouldn't be made secure when we don't have HTTPS configured. As it is now, it's
left at user's discretion, but probably it's a good idea to force secure cookies
when they can be used.
In the current implementation, cookies are issued to users before they actually
try to log in, on the first page load. So if that happens over HTTPS, it's
probably safe to assume secure cookies can be used, and to default to normal
"insecure" cookies if HTTPS isn't available.
It's not easy to sneak into Beaker's internals, and it doesn't support selective
secureness, so we use our own wrapper around Beaker's SessionMiddleware class to
give secure cookies over HTTPS connections. Beaker's built-in mechanism for
secure cookies is forced to add the flag when needed only.
24c0d584ba86 79283d4b1bed 79283d4b1bed 79283d4b1bed 79283d4b1bed 3dbe675b4342 62c4027b0321 c3172bc09503 3dbe675b4342 3dedf3991d40 dc16211e7292 dc16211e7292 dc16211e7292 dc16211e7292 a7bee2a5de67 ee2817f2cb3d ee2817f2cb3d fb51a6fc10ae fb51a6fc10ae 3dbe675b4342 c4d8ed624728 9989d727ef1b 9989d727ef1b 31265f80cf8b 31265f80cf8b e61162c20222 02e668af87ac 02e668af87ac b1b31bfe2f99 b1b31bfe2f99 231160230379 c6f16271b60c 12b183c1628b 5f08551afb31 0c1c17db467c 53e5f01081ac c71e05076359 d8364b7e3451 433d6385b216 8b7294a804a0 8b7294a804a0 231160230379 8b7294a804a0 8b7294a804a0 9a6c224e1f68 8b7294a804a0 8b7294a804a0 231160230379 231160230379 231160230379 231160230379 231160230379 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c ebe8537c5c70 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c 0c4f2c53ea4c | List of contributors to Kallithea project:
Marcin Kuźmiński <marcin@python-works.com>
Lukasz Balcerzak <lukaszbalcerzak@gmail.com>
Jason Harris <jason@jasonfharris.com>
Thayne Harbaugh <thayne@fusionio.com>
cejones <>
Thomas Waldmann <tw-public@gmx.de>
Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
Dmitri Kuznetsov <>
Jared Bunting <jared.bunting@peachjean.com>
Steve Romanow <slestak989@gmail.com>
Augosto Hermann <augusto.herrmann@planejamento.gov.br>
Ankit Solanki <ankit.solanki@gmail.com>
Liad Shani <liadff@gmail.com>
Les Peabody <lpeabody@gmail.com>
Jonas Oberschweiber <jonas.oberschweiber@d-velop.de>
Matt Zuba <matt.zuba@goodwillaz.org>
Aras Pranckevicius <aras@unity3d.com>
Tony Bussieres <t.bussieres@gmail.com>
Erwin Kroon <e.kroon@smartmetersolutions.nl>
nansenat16 <nansenat16@null.tw>
Vincent Duvert <vincent@duvert.net>
Takumi IINO <trot.thunder@gmail.com>
Indra Talip <indra.talip@gmail.com>
James Rhodes <jrhodes@redpointsoftware.com.au>
Dominik Ruf <dominikruf@gmail.com>
xpol <xpolife@gmail.com>
Vincent Caron <vcaron@bearstech.com>
Zachary Auclair <zach101@gmail.com>
Stefan Engel <mail@engel-stefan.de>
Andrew Shadura <andrew@shadura.me>
Raoul Thill <raoul.thill@gmail.com>
Philip Jameson <philip.j@hostdime.com>
Mads Kiilerich <madski@unity3d.com>
Dan Sheridan <djs@adelard.com>
Dennis Brakhane <brakhane@googlemail.com>
Simon Lopez <simon.lopez@slopez.org>
Jonathan Sternberg <jonathansternberg@gmail.com>
Grzegorz Rożniecki <xaerxess@gmail.com>
Andrew Kesterson <andrew@aklabs.net>
David A. Sjøen <david.sjoen@westcon.no>
Jelmer Vernooij <jelmer@samba.org>
larikale
SteveCohen
RhodeCode GmbH
Sebastian Kreutzberger <sebastian@rhodecode.com>
thomas <thomas@rhodecode.com>
Bradley M. Kuhn <bkuhn@sfconservancy.org>
Sean Farley <sean.michael.farley@gmail.com>
Martin Vium <martinv@unity3d.com>
Daniel Anderson <daniel@dattrix.com>
Travis Burtrum <android@moparisthebest.com>
Calinou <calinou@opmbx.org>
Christian Oyarzun <oyarzun@gmail.com>
Denis Blanchette <dblanchette@coveo.com>
duanhongyi <duanhongyi@doopai.com>
Henrik Stuart <hg@hstuart.dk>
Ingo von Borstel <kallithea@planetmaker.de>
Jan Heylen <heyleke@gmail.com>
Jim Hague <jim.hague@acm.org>
Joseph Rivera <rivera.d.joseph@gmail.com>
Kazunari Kobayashi <kobanari@nifty.com>
Matt Fellows <kallithea@matt-fellows.me.uk>
Max Roman <max@choloclos.se>
Michael Pohl <michael@mipapo.de>
Michael V. DePalatis <mike@depalatis.net>
Michal Čihař <michal@cihar.com>
Morten Skaaning <mortens@unity3d.com>
Na'Tosha Bard <natosha@unity3d.com>
Nick High <nick@silverchip.org>
Niemand Jedermann <predatorix@web.de>
Peter Vitt <petervitt@web.de>
Sam Jaques <sam.jaques@me.com>
Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Tuux <tuxa@galaxie.eu.org>
Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
|