I use authkit module with Pylons and I see that session cookie it sets (aptly named authkit) is not set to be HttpOnly.
Is there a simple way to make it HttpOnly? (By “simple” I mean the one that does not involve hacking authkit’s code.)
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I use authkit module with Pylons and I see that session cookie it sets (aptly named authkit) is not set to be HttpOnly.
Is there a simple way to make it HttpOnly? (By “simple” I mean the one that does not involve hacking authkit’s code.)
This is not documented in authkit, because it only started working in Python 2.6 (see here), but if you do have Python 2.6 then
in the config should work and do what you desire.
authkit internally uses a
Cookie.SimpleCookie, and that’s what limits the keys you can have for theauthkit.cookie.params.— up to Python 2.5 they were only the keys supported by the standard, RFC 2109, but in Python 2.6 the usefulhttponlyextension was added — which is how authkit gained support for it automatically… because, quite properly, it doesn’t do its own checks but rather delegates all checks toSimpleCookie.If you’re stuck with Python 2.5 or earlier, then to make this work will require a little more effort (not changing authkit, but monkeypatching Python’s Cookie.py, or better, if feasible, installing a newer version of Cookie.py from the Python 2.6 sources in a directory that’s earlier in sys.path than the directory for Python’s own standard library).