Commits

Ben Bangert committed 58b015c

* Added option to make Beaker use a secure cookie.

Comments (0)

Files changed (3)

 ================
 
 0.9.2 (**tip**)
+* Added option to make Beaker use a secure cookie.
 * Removed CTRCipher as pycryptopp doesn't need it.
 * Changed AES to use 256 bit.
 * Fixed signing code to use hmac with sha for better signing security.

beaker/session.py

     def __init__(self, request, id=None, invalidate_corrupt=False, 
                  use_cookies=True, type=None, data_dir=None, 
                  key='beaker.session.id', timeout=None, cookie_expires=True,
-                 cookie_domain=None, secret=None, log_file=None, 
+                 cookie_domain=None, secret=None, secure=False, log_file=None, 
                  namespace_class=None, **kwargs):
         if type is None:
             if data_dir is None:
         self.log_file = log_file
         self.was_invalidated = False
         self.secret = secret
+        self.secure = secure
         
         self.id = id
             
             self.cookie[self.key] = self.id
             if self.cookie_domain:
                 self.cookie[self.key]['domain'] = self.cookie_domain
+            if self.secure:
+                self.cookie[self.key]['secure'] = True
             self.cookie[self.key]['path'] = '/'
             if self.cookie_expires is not True:
                 if self.cookie_expires is False:
         whether session data is still valid.
     ``encrypt_key``
         The key to use for the session encryption, if not provided the session
-        will not be encrypted. This will only work if a strong hash scheme is
-        available, such as pycryptopp's or Python 2.5's hashlib.sha256.
+        will not be encrypted.
     ``validate_key``
         The key used to sign the encrypted session
     ``cookie_domain``
         Domain to use for the cookie.
-        
+    ``secure``
+        Whether or not the cookie should only be sent over SSL.
+    
     """
     def __init__(self, request, key='beaker.session.id', timeout=None,
                  cookie_expires=True, cookie_domain=None, encrypt_key=None,
-                 validate_key=None, **kwargs):
+                 validate_key=None, secure=False, **kwargs):
         if not crypto_ok:
             raise BeakerException("PyCrypto is not installed, can't use cookie-only Session.")
         
         self.encrypt_key = encrypt_key
         self.validate_key = validate_key
         self.request['set_cookie'] = False
+        self.secure = secure
         
         try:
             cookieheader = request['cookie']
         self.cookie[self.key] = val
         if self.cookie_domain:
             self.cookie[self.key]['domain'] = self.cookie_domain
+        if self.secure:
+            self.cookie[self.key]['secure'] = True
+        
         self.cookie[self.key]['path'] = '/'
         if self.cookie_expires is not True:
             if self.cookie_expires is False:
         ('secret', (str, types.NoneType), "Session secret must be a string."),
         ('validate_key', (str, types.NoneType), "Session encrypt_key must be a string."),
         ('encrypt_key', (str, types.NoneType), "Session validate_key must be a string."),
+        ('secure', (bool, types.NoneType), "Session secure must be a boolean."),
         ('timeout', (int, types.NoneType), "Session timeout must be an integer."),
     ]
     return verify_rules(params, rules)