[web2py] Re: Problem with securing sessions

Wed, 03 Oct 2012 08:51:46 -0700 

Niphlod- Thanks, you're correct- that's exactly what's happening.

We should then update the *requires_https()* implementation:

*gluon/globals.py:*
def requires_https(self):
    """
    If request comes in over HTTP, redirect it to HTTPS
    and secure the session.
    """
    if not global_settings.cronjob and not self.is_https:
        session.forget()
        redirect(URL(scheme='https', args=self.args, vars=self.vars))

    current.session.secure()


On Monday, October 1, 2012 4:34:26 PM UTC-4, Niphlod wrote:
>
> groan, I posted something and it doesn't show up: apologies for double 
> posting if the previous one shows up in a few....
>
> The "issue" is that you are not session.forget()ting the requests going to 
> the http realm: what you are doing is overriding the cookie before 
> redirecting.
>
> Both the browser and web2py behave consistently. Case without 
> session.forget():
> 1. https://something
>     - browser: none
>     - web2py: set-cookie abcd secure
> 2. https://something
>     - browser: abcd
>     - web2py: set-cookie abcd secure
> 3. http://something
>     - browser: none ("I must not send a secured cookie back to the domain 
> without https")
>     - web2py: location https://something, set-cookie defg ("User is new 
> around here, let's create a new session")
> 4. https://something
>     - browser: defg ("I can send the cookie I received before because it 
> was not secured")
>     - web2py: set-cookie defg secure
>
> When you set session.forget() for the http realm, all goes well:
> 1. https://something
>     - browser: none
>     - web2py: set-cookie abcd secure
> 2. https://something
>     - browser: abcd
>     - web2py: set-cookie abcd secure
> 3. http://something
>     - browser: none
>     - web2py: location https://something
> 4. https://something
>     - browser: abcd ("No new cookies were issued, so I use the one set 
> before, it's a https request with a secured cookie, send abcd back")
>     - web2py: set-cookie abcd secure
>
> PS: the issue presents itself only if you do redirections within web2py 
> without session.forget()... a normal webserver issues only the 
> *Location*header and sets no cookies when set to redirect something, so it 
> behaves 
> "more correctly" and exactly like web2py with session.forget() enabled.
>
>

--

Reply via email to