Edgewall Software

Ticket #5910: 5910-secure-cookies-r7511.patch

File 5910-secure-cookies-r7511.patch, 2.5 KB (added by rblank, 4 years ago)

Patch against 0.11-stable adding an option to set the secure flag on all cookies

  • trac/env.py 

    diff --git a/trac/env.py b/trac/env.py
    a b  
    9999        `base_url` setting also for redirects. This introduces the obvious 
    100100        limitation that this environment will only be usable when accessible 
    101101        from that URL, as redirects are frequently used. ''(since 0.10.5)''""") 
     102 
     103    secure_cookies = BoolOption('trac', 'secure_cookies', False, 
     104        """Restrict cookies to HTTPS connections. 
     105         
     106        When true, set the `secure` flag on all cookies so that they are 
     107        only sent to the server on HTTPS connections. Use this if your Trac 
     108        instance is only accessible through HTTPS. (''since 0.11.2'')""") 
    102109 
    103110    project_name = Option('project', 'name', 'My Project', 
    104111        """Name of the project.""") 

  • trac/web/auth.py 

    diff --git a/trac/web/auth.py b/trac/web/auth.py
    a b  
    144144        req.authname = remote_user 
    145145        req.outcookie['trac_auth'] = cookie 
    146146        req.outcookie['trac_auth']['path'] = req.base_path or '/' 
     147        if self.env.secure_cookies: 
     148            req.outcookie['trac_auth']['secure'] = True 
    147149 
    148150    def _do_logout(self, req): 
    149151        """Log the user out. 
     
    175177        req.outcookie['trac_auth'] = '' 
    176178        req.outcookie['trac_auth']['path'] = req.base_path or '/' 
    177179        req.outcookie['trac_auth']['expires'] = -10000 
     180        if self.env.secure_cookies: 
     181            req.outcookie['trac_auth']['secure'] = True 
    178182 
    179183    def _get_name_for_cookie(self, req, cookie): 
    180184        db = self.env.get_db_cnx() 

  • trac/web/main.py 

    diff --git a/trac/web/main.py b/trac/web/main.py
    a b  
    280280        else: 
    281281            req.outcookie['trac_form_token'] = hex_entropy(24) 
    282282            req.outcookie['trac_form_token']['path'] = req.base_path or '/' 
     283            if self.env.secure_cookies: 
     284                req.outcookie['trac_form_token']['secure'] = True 
    283285            return req.outcookie['trac_form_token'].value 
    284286 
    285287    def _pre_process_request(self, req, chosen_handler): 

  • trac/web/session.py 

    diff --git a/trac/web/session.py b/trac/web/session.py
    a b  
    154154        self.req.outcookie[COOKIE_KEY] = self.sid 
    155155        self.req.outcookie[COOKIE_KEY]['path'] = self.req.base_path or '/' 
    156156        self.req.outcookie[COOKIE_KEY]['expires'] = expires 
     157        if self.env.secure_cookies: 
     158            self.req.outcookie[COOKIE_KEY]['secure'] = True 
    157159 
    158160    def get_session(self, sid, authenticated=False): 
    159161        refresh_cookie = False