diff options
author | ianb <devnull@localhost> | 2009-03-03 23:52:31 +0000 |
---|---|---|
committer | ianb <devnull@localhost> | 2009-03-03 23:52:31 +0000 |
commit | 6c6088e2216956d0c77ac890894bd0922b998c7e (patch) | |
tree | baf706aa4b5c4d9ccf47352699d5ee7b45a16b50 /paste/auth | |
parent | 69c793c0b54259ea8b0f1e2200fb813c8defb7b8 (diff) | |
download | paste-6c6088e2216956d0c77ac890894bd0922b998c7e.tar.gz |
Apply patch to paste.auth.auth_tkt to make it easier to get the cookies, and avoid wildcard cookies, and add httponly support
Diffstat (limited to 'paste/auth')
-rw-r--r-- | paste/auth/auth_tkt.py | 51 |
1 files changed, 39 insertions, 12 deletions
diff --git a/paste/auth/auth_tkt.py b/paste/auth/auth_tkt.py index e1c5833..1b26f9c 100644 --- a/paste/auth/auth_tkt.py +++ b/paste/auth/auth_tkt.py @@ -209,7 +209,11 @@ class AuthTKTMiddleware(object): ``secure``: If the cookie should be set as 'secure' (only sent over SSL) and if - the login must be over SSL. + the login must be over SSL. (Defaults to False) + + ``httponly``: + If the cookie should be marked as HttpOnly, which means that it's + not accessible to JavaScript. (Defaults to False) ``include_ip``: If the cookie should include the user's IP address. If so, then @@ -237,13 +241,19 @@ class AuthTKTMiddleware(object): """ def __init__(self, app, secret, cookie_name='auth_tkt', secure=False, - include_ip=True, logout_path=None): + include_ip=True, logout_path=None, httponly=False, + no_domain_cookie=True, current_domain_cookie=True, + wildcard_cookie=True): self.app = app self.secret = secret self.cookie_name = cookie_name self.secure = secure + self.httponly = httponly self.include_ip = include_ip self.logout_path = logout_path + self.no_domain_cookie = no_domain_cookie + self.current_domain_cookie = current_domain_cookie + self.wildcard_cookie = wildcard_cookie def __call__(self, environ, start_response): cookies = request.get_cookies(environ) @@ -260,8 +270,13 @@ class AuthTKTMiddleware(object): remote_addr = '0.0.0.0' # @@: This should handle bad signatures better: # Also, timeouts should cause cookie refresh - timestamp, userid, tokens, user_data = parse_ticket( - self.secret, cookie_value, remote_addr) + try: + timestamp, userid, tokens, user_data = parse_ticket( + self.secret, cookie_value, remote_addr) + except BadTicket: + # bad credentials, just ignore without logging the user + # in or anything + return self.app(environ, start_response) tokens = ','.join(tokens) environ['REMOTE_USER'] = userid if environ.get('REMOTE_USER_TOKENS'): @@ -304,14 +319,26 @@ class AuthTKTMiddleware(object): # environment right now as well? cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME')) wild_domain = '.' + cur_domain - cookies = [ - ('Set-Cookie', '%s=%s; Path=/' % ( - self.cookie_name, ticket.cookie_value())), - ('Set-Cookie', '%s=%s; Path=/; Domain=%s' % ( - self.cookie_name, ticket.cookie_value(), cur_domain)), - ('Set-Cookie', '%s=%s; Path=/; Domain=%s' % ( - self.cookie_name, ticket.cookie_value(), wild_domain)) - ] + + cookie_options = "" + if self.secure: + cookie_options += "; secure" + if self.httponly: + cookie_options += "; HttpOnly" + + cookies = [] + if self.no_domain_cookie: + cookies.append(('Set-Cookie', '%s=%s; Path=/%s' % ( + self.cookie_name, ticket.cookie_value(), cookie_options))) + if self.current_domain_cookie: + cookies.append(('Set-Cookie', '%s=%s; Path=/; Domain=%s%s' % ( + self.cookie_name, ticket.cookie_value(), cur_domain, + cookie_options))) + if self.wildcard_cookie: + cookies.append(('Set-Cookie', '%s=%s; Path=/; Domain=%s%s' % ( + self.cookie_name, ticket.cookie_value(), wild_domain, + cookie_options))) + return cookies def logout_user_cookie(self, environ): |