• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6566: TWiki::LoginManager should support secure cookies

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine LoginManager Normal New   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

TWiki::Request supports the 'secure' option for cookies when the connection is over HTTPS but TWiki::LoginManager does not.

As a result, the only way to keep TWiki and the browser from happily sending the session cookie over plain HTTP is to run TWiki over HTTPS only, not even having a redirect from HTTP to HTTPS.

I suggest that a configurable extension to TWiki::LoginManager is made to set the 'secure' option for its cookie and only sending it if the TWiki::Request has the secure flag on.

Here is the change I made to _pushCookie() that works for me:

sub _pushCookie {
    my $this = shift;

    return unless $this->{twiki}->{request}->protocol() eq 'https';
    my $cookie = CGI::Cookie->new( -name => $TWiki::LoginManager::Session::NAME,
                                   -value => $this->{_cgisession}->id(),
                                   -secure => 1,
                                   -path => '/' );
...

-- TWiki:Main/StefanWalter - 2010-08-26

This sounds like a sensible enhancement. Could you post a feature request? See link in "Istanbul" pulldown menu.

-- TWiki:Main.PeterThoeny - 2010-08-26

I reformated this report and created http://twiki.org/cgi-bin/view/Codev/SecureCookiesForLoginManager. Please close this bug report then.

-- TWiki:Main.StefanWalter - 2010-08-27

Thank you. We can keep this item open. Each feature proposal has a corresponding bug item, this bug item is needed for the actual checkin.

-- TWiki:Main.PeterThoeny - 2010-08-28

ItemTemplate
Summary TWiki::LoginManager should support secure cookies
ReportedBy TWiki:Main.StefanWalter
Codebase 5.0.0
SVN Range TWiki-5.0.0, Sat, 21 Aug 2010, build 19350
AppliesTo Engine
Component LoginManager
Priority Normal
CurrentState New
WaitingFor

Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2010-08-28 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback