Zope 2

After setting cookie_secure to True, BrowserIdManger keeps accepting already set cookies through plain HTTP

Bug #211437 reported by Servilio Afre Puentes on 2008-04-03

2

Affects		Status	Importance	Assigned to	Milestone
	Zope 2	Invalid	Low	Unassigned

Bug Description

It is contradictory/inconsistent to configure the BrowserIdManager to send cookies only over HTTPS and still accept some of them (the ones already set before the configuration change, so this set is built randomly/non-deterministically) over plain HTTP.

The consistent behavior for this property is to delete cookies sent over plain HTTP once the cookie_secure attribute has been set to True (thus forcing regenerating the browser ID), and conversely, when set to False resending the same cookie with the secure attribute off.

The attached patch implements the first case.

Revision history for this message

Servilio Afre Puentes (servilio) wrote on 2008-04-03:

#1

Sessions-reject_https-only_cookies_over_http.patch Edit (1.7 KiB, text/plain)

Revision history for this message

Servilio Afre Puentes (servilio) wrote on 2008-04-03:

#2

Also, no test is implemented yet.

Tres Seaver (tseaver) on 2010-05-17

Changed in zope2:
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

Colin Watson (cjwatson) wrote on 2019-10-23:

#3

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Sessions-reject_https-only_cookies_over_http.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.