Files @ 43ad9c3b7d5d
Branch filter:

Location: kallithea/CONTRIBUTORS

43ad9c3b7d5d 3.0 KiB text/plain Show Annotation Show as Raw Download as Raw
Andrew Shadura
middleware: use secure cookies over secure connections

HTTP cookie spec defines secure cookies, which are transmitted only over secure
connections (HTTPS). Using them helps protect against some attacks, but cookies
shouldn't be made secure when we don't have HTTPS configured. As it is now, it's
left at user's discretion, but probably it's a good idea to force secure cookies
when they can be used.

In the current implementation, cookies are issued to users before they actually
try to log in, on the first page load. So if that happens over HTTPS, it's
probably safe to assume secure cookies can be used, and to default to normal
"insecure" cookies if HTTPS isn't available.

It's not easy to sneak into Beaker's internals, and it doesn't support selective
secureness, so we use our own wrapper around Beaker's SessionMiddleware class to
give secure cookies over HTTPS connections. Beaker's built-in mechanism for
secure cookies is forced to add the flag when needed only.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
List of contributors to Kallithea project:
    Marcin Kuźmiński <marcin@python-works.com>
    Lukasz Balcerzak <lukaszbalcerzak@gmail.com>
    Jason Harris <jason@jasonfharris.com>
    Thayne Harbaugh  <thayne@fusionio.com>
    cejones <>
    Thomas Waldmann <tw-public@gmx.de>
    Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
    Dmitri Kuznetsov <>
    Jared Bunting <jared.bunting@peachjean.com>
    Steve Romanow <slestak989@gmail.com>
    Augosto Hermann <augusto.herrmann@planejamento.gov.br>    
    Ankit Solanki <ankit.solanki@gmail.com>    
    Liad Shani <liadff@gmail.com>
    Les Peabody <lpeabody@gmail.com>
    Jonas Oberschweiber <jonas.oberschweiber@d-velop.de>
    Matt Zuba <matt.zuba@goodwillaz.org>
    Aras Pranckevicius <aras@unity3d.com>
    Tony Bussieres <t.bussieres@gmail.com>
    Erwin Kroon <e.kroon@smartmetersolutions.nl>
    nansenat16 <nansenat16@null.tw>
    Vincent Duvert <vincent@duvert.net>
    Takumi IINO <trot.thunder@gmail.com>
    Indra Talip <indra.talip@gmail.com>
    James Rhodes <jrhodes@redpointsoftware.com.au>
    Dominik Ruf <dominikruf@gmail.com>
    xpol <xpolife@gmail.com>
    Vincent Caron <vcaron@bearstech.com>
    Zachary Auclair <zach101@gmail.com>
    Stefan Engel <mail@engel-stefan.de>
    Andrew Shadura <andrew@shadura.me>
    Raoul Thill <raoul.thill@gmail.com>
    Philip Jameson <philip.j@hostdime.com>
    Mads Kiilerich <madski@unity3d.com>
    Dan Sheridan <djs@adelard.com>
    Dennis Brakhane <brakhane@googlemail.com>
    Simon Lopez <simon.lopez@slopez.org>
    Jonathan Sternberg <jonathansternberg@gmail.com>
    Grzegorz Rożniecki <xaerxess@gmail.com>
    Andrew Kesterson <andrew@aklabs.net>
    David A. Sjøen <david.sjoen@westcon.no>
    Jelmer Vernooij <jelmer@samba.org>
    larikale
    SteveCohen
    RhodeCode GmbH
    Sebastian Kreutzberger <sebastian@rhodecode.com>
    thomas <thomas@rhodecode.com>
    Bradley M. Kuhn <bkuhn@sfconservancy.org>
    Sean Farley <sean.michael.farley@gmail.com>
    Martin Vium <martinv@unity3d.com>
    Daniel Anderson <daniel@dattrix.com>
    Travis Burtrum <android@moparisthebest.com>
    Calinou <calinou@opmbx.org>
    Christian Oyarzun <oyarzun@gmail.com>
    Denis Blanchette <dblanchette@coveo.com>
    duanhongyi <duanhongyi@doopai.com>
    Henrik Stuart <hg@hstuart.dk>
    Ingo von Borstel <kallithea@planetmaker.de>
    Jan Heylen <heyleke@gmail.com>
    Jim Hague <jim.hague@acm.org>
    Joseph Rivera <rivera.d.joseph@gmail.com>
    Kazunari Kobayashi <kobanari@nifty.com>
    Matt Fellows <kallithea@matt-fellows.me.uk>
    Max Roman <max@choloclos.se>
    Michael Pohl <michael@mipapo.de>
    Michael V. DePalatis <mike@depalatis.net>
    Michal Čihař <michal@cihar.com>
    Morten Skaaning <mortens@unity3d.com>
    Na'Tosha Bard <natosha@unity3d.com>
    Nick High <nick@silverchip.org>
    Niemand Jedermann <predatorix@web.de>
    Peter Vitt <petervitt@web.de>
    Sam Jaques <sam.jaques@me.com>
    Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
    Tuux <tuxa@galaxie.eu.org>
    Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.