[web2py] Re: Problem with securing sessions

Wed, 03 Oct 2012 10:31:54 -0700 

In trunk!


On Wednesday, 3 October 2012 10:51:40 UTC-5, Yarin wrote:
>
> Niphlod- Thanks, you're correct- that's exactly what's happening.
>
> We should then update the *requires_https()* implementation:
>
> *gluon/globals.py:*
> def requires_https(self):
>     """
>     If request comes in over HTTP, redirect it to HTTPS
>     and secure the session.
>     """
>     if not global_settings.cronjob and not self.is_https:
>         session.forget()
>         redirect(URL(scheme='https', args=self.args, vars=self.vars))
>
>     current.session.secure()
>
>
> On Monday, October 1, 2012 4:34:26 PM UTC-4, Niphlod wrote:
>>
>> groan, I posted something and it doesn't show up: apologies for double 
>> posting if the previous one shows up in a few....
>>
>> The "issue" is that you are not session.forget()ting the requests going 
>> to the http realm: what you are doing is overriding the cookie before 
>> redirecting.
>>
>> Both the browser and web2py behave consistently. Case without 
>> session.forget():
>> 1. https://something
>>     - browser: none
>>     - web2py: set-cookie abcd secure
>> 2. https://something
>>     - browser: abcd
>>     - web2py: set-cookie abcd secure
>> 3. http://something
>>     - browser: none ("I must not send a secured cookie back to the domain 
>> without https")
>>     - web2py: location https://something, set-cookie defg ("User is new 
>> around here, let's create a new session")
>> 4. https://something
>>     - browser: defg ("I can send the cookie I received before because it 
>> was not secured")
>>     - web2py: set-cookie defg secure
>>
>> When you set session.forget() for the http realm, all goes well:
>> 1. https://something
>>     - browser: none
>>     - web2py: set-cookie abcd secure
>> 2. https://something
>>     - browser: abcd
>>     - web2py: set-cookie abcd secure
>> 3. http://something
>>     - browser: none
>>     - web2py: location https://something
>> 4. https://something
>>     - browser: abcd ("No new cookies were issued, so I use the one set 
>> before, it's a https request with a secured cookie, send abcd back")
>>     - web2py: set-cookie abcd secure
>>
>> PS: the issue presents itself only if you do redirections within web2py 
>> without session.forget()... a normal webserver issues only the 
>> *Location*header and sets no cookies when set to redirect something, so it 
>> behaves 
>> "more correctly" and exactly like web2py with session.forget() enabled.
>>
>>

--

Reply via email to