On Thursday, June 16, 2011 3:04:06 PM UTC-4, Richard G wrote:
>
> Someone please correct me if I am wrong, but this issue is one of
> architecting your applications/environment properly.
>
> If you only ever use https (ie: no http) then all is fine.
>
> If you use mixed http & https, then you likely want to set session.secure()
> (this will set the cookie 'secure' attribute, identifying that the browser
> should never send the cookie over a non secure channel).
> The issue is that first connection you use to obtain the cookie. If it is
> over a non secure channel, the server will send you a cookie with your
> session id and the secure attribute set. This is an issue in that a 3rd
> party can acquire your session id over this nonsecure channel.
>
> Solution: Unfortunately the cookie is sent whether you are authenticated or
> not... I believe the only solution is to ensure all web2py calls are over a
> secure channel. Your settings can still identify that other calls may not be
> over secure channels though (think static files, etc... in which you bypass
> web2py).
>
Maybe we should also have something like session.regenerate(), which could
optionally be called by session.secure(). This would regenerate the session
ID (but keep the existing session). So, upon login, you could call
session.secure(regenerate=True), and it would change the session ID and
secure the cookie. Would that work?
Anthony
