Reputation: 15876
How to make authkit session cookie HttpOnly in pylons?
I use authkit module with Pylons and I see that session cookie it sets (aptly named authkit) is not set to be HttpOnly.
Is there a simple way to make it HttpOnly? (By "simple" I mean the one that does not involve hacking authkit's code.)
Upvotes: 2
Views: 868
Answers (1)
Reputation: 882093
This is not documented in authkit, because it only started working in Python 2.6 (see here), but if you do have Python 2.6 then
authkit.cookie.params.httponly = true
in the config should work and do what you desire.
authkit internally uses a Cookie.SimpleCookie, and that's what limits the keys you can have for the authkit.cookie.params. -- up to Python 2.5 they were only the keys supported by the standard, RFC 2109, but in Python 2.6 the useful httponly extension was added -- which is how authkit gained support for it automatically... because, quite properly, it doesn't do its own checks but rather delegates all checks to SimpleCookie.
If you're stuck with Python 2.5 or earlier, then to make this work will require a little more effort (not changing authkit, but monkeypatching Python's Cookie.py, or better, if feasible, installing a newer version of Cookie.py from the Python 2.6 sources in a directory that's earlier in sys.path than the directory for Python's own standard library).
Upvotes: 2
Related Questions
- How to set an HTTPONLY cookie in Flask
- Disable Session Cookie generation in Python Flask-login
- How to work with cookies with httplib in python
- Pylons custom authorizer with Authkit?
- Using Python Pylons, what is a good way to use an authentication cookie throughout an application?
- I'm using Pylons and having issues with response.set_cookie
- Pylons check for cookie on every page load
- How to set cookies with redirect in Pylons
- Is there a way to flag cookies as HttpOnly in Pylons?
- can pylons + authkit ignore particular responses with 401 status?