Robert Brewer avatar Robert Brewer committed 6d70a4e

Fix for #1025 (Support for httponly session cookies)

Comments (0)

Files changed (1)

cherrypy/lib/sessions.py

 
 def init(storage_type='ram', path=None, path_header=None, name='session_id',
          timeout=60, domain=None, secure=False, clean_freq=5,
-         persistent=True, debug=False, **kwargs):
+         persistent=True, httponly=False, debug=False, **kwargs):
     """Initialize session object (using cookies).
     
     storage_type
         and the cookie will be a "session cookie" which expires when the
         browser is closed.
     
+    httponly
+        If False (the default) the cookie 'httponly' value will not be set.
+        If True, the cookie 'httponly' value will be set (to 1).
+    
     Any additional kwargs will be bound to the new Session instance,
     and may be specific to the storage type. See the subclass of Session
     you're using for more information.
         # and http://support.mozilla.com/en-US/kb/Cookies
         cookie_timeout = None
     set_response_cookie(path=path, path_header=path_header, name=name,
-                        timeout=cookie_timeout, domain=domain, secure=secure)
+                        timeout=cookie_timeout, domain=domain, secure=secure,
+                        httponly=httponly)
 
 
 def set_response_cookie(path=None, path_header=None, name='session_id',
-                        timeout=60, domain=None, secure=False):
+                        timeout=60, domain=None, secure=False, httponly=False):
     """Set a response cookie for the client.
     
     path
         if False (the default) the cookie 'secure' value will not
         be set. If True, the cookie 'secure' value will be set (to 1).
 
+    httponly
+        If False (the default) the cookie 'httponly' value will not be set.
+        If True, the cookie 'httponly' value will be set (to 1).
+
     """
     # Set response cookie
     cookie = cherrypy.serving.response.cookie
         cookie[name]['domain'] = domain
     if secure:
         cookie[name]['secure'] = 1
-
+    if httponly:
+        if not cookie[name].isReservedKey('httponly'):
+            raise ValueError("The httponly cookie token is not supported.")
+        cookie[name]['httponly'] = 1
 
 def expire():
     """Expire the current session cookie."""
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.