Mark cookies HttpOnly and -- if https is used -- secure.

Fixes issue2550689, but is untested if this really works in browsers.

Author: schlatterbeck

CHANGES.txt

@@ -77,6 +77,8 @@ Fixed:
   for the patch.
 - Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
   reporting. (Ralf)
+- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
+  issue2550689, but is untested if this really works in browsers. (Ralf)
 
 
 2011-07-15: 1.4.19

roundup/cgi/client.py

@@ -296,6 +296,9 @@ def __init__(self, instance, request, env, form=None, translator=None):
         # this is the base URL for this tracker
         self.base = self.instance.config.TRACKER_WEB
 
+        # should cookies be secure?
+        self.secure = self.base.startswith ('https')
+
         # check the tracker_we setting
         if not self.base.endswith('/'):
             self.base = self.base + '/'
@@ -1475,6 +1478,11 @@ def header(self, headers=None, response=None):
             cookie = "%s=%s; Path=%s;"%(name, value, path)
             if expire is not None:
                 cookie += " expires=%s;"%get_cookie_date(expire)
+            # mark as secure if https, see issue2550689
+            if self.secure:
+                cookie += " secure;"
+            # prevent theft of session cookie, see issue2550689
+            cookie += " HttpOnly;"
             headers.append(('Set-Cookie', cookie))
 
         self._socket_op(self.request.start_response, headers, response)
@@ -1508,17 +1516,6 @@ def add_cookie(self, name, value, expire=86400*365, path=None):
             expire = -1
         self._cookies[(path, name)] = (value, expire)
 
-    def set_cookie(self, user, expire=None):
-        """Deprecated. Use session_api calls directly
-
-        XXX remove
-        """
-
-        # insert the session in the session db
-        self.session_api.set(user=user)
-        # refresh session cookie
-        self.session_api.update(set_cookie=True, expire=expire)
-
     def make_user_anonymous(self):
         """ Make us anonymous