After setting cookie_secure to True, BrowserIdManger keeps accepting already set cookies through plain HTTP
Bug #211437 reported by
Servilio Afre Puentes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Low
|
Unassigned |
Bug Description
It is contradictory/
The consistent behavior for this property is to delete cookies sent over plain HTTP once the cookie_secure attribute has been set to True (thus forcing regenerating the browser ID), and conversely, when set to False resending the same cookie with the secure attribute off.
The attached patch implements the first case.
Changed in zope2: | |
importance: | Undecided → Low |
status: | New → Triaged |
To post a comment you must log in.
Also, no test is implemented yet.