id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,branch,changelog,apichanges,internalchanges 5910,have an option to set the Secure flag for trac_session cookies,dkg-debian.org@…,Remy Blank,"If you run trac entirely under HTTPS (e.g. at https://example.com/), there's no reason why you'd want the `trac_session` cookie to be sent in the clear (e.g. if users point their browsers to http://example.com/ by accident). The solution to this is to be able to set [http://wp.netscape.com/newsref/std/cookie_spec.html the secure flag] on the session cookie, which asks the browser to only transmit the cookie when access is made via TLS. I realize that not everyone who runs trac under HTTPS wants this (they may prefer to have a session persist across both HTTP and HTTPS accesses), but for those of us who run trac permanently behind TLS, it is a shame that end user's web browsers will freely transmit their session identifier in the clear if a wrong address is typed into the address bar. While sessions being tied to IP addresses is a mitigating factor here, it doesn't solve the most common case of cookie-sniffing, which is by a close peer on the LAN. In today's NAT'ed LANs it is much more likely that neighbors (i.e. office-mates, etc.) will share a public IP address. This makes the session re-usable by those most able to sniff the local network. A simple setting in `trac.ini` would be great. If this is already an option, please let me know how! i've searched the documentation and the source code and couldn't sort it out. Thanks again for all your work on trac.",defect,closed,normal,0.11.2,general,,normal,fixed,cookie secure security patch,,,,,