durusmail: quixote-users: Session2.0.6 - secure cookies
Session2.0.6 - secure cookies
2010-11-19
Robert Ladyman
Session2.0.6 - secure cookies
Robert Ladyman
2010-11-19
Dear Mike / Titus, et. al.

I've just realised, having been struggling to get session_cookie_httponly and
session_cookie_secure to work, that the code for Session2 wasn't updated when
these options were added to the body of the code for quixote.

Looking through the change-log (CHANGES.txt) for 2.7b1 it looks like there are
two other changes that might affect session2 (I'm not certain as the changes
don't list the files that were changed), listed at the end: perhaps Neil could
confirm.

I'm happy to make the changes myself if they are not required to be put into
Session2 (for the secure and httponly stuff it looks like just _set_cookie
needs to be modified with about 3 lines - I haven't checked the others), but I
suspect that they might catch out others, so perhaps Mike or Titus would
rather do it. If not, I can make the changes on my source and post a patch.

Also, is it worth suggesting folding session2 into the session management for
Quixote? It's always struck me as a bit strange that there isn't a persistent
mechanism out of the box, as it were.

RJL

-- Possible changes that need to go into session2

Author: Neil Schemenauer 
Date:   Fri Jan 22 13:29:46 2010 -0600

    By default, set Cache-Control in addition to the Expires header.

    The Expires header is sufficient for HTTP 1.0 but for HTTP 1.1 we
    must add a must-revalidate directive.  Clients and proxies are
    allowed to ignore Expires in certain cases and use stale pages (RFC
    2616 sections 13.1.5 and 14.9.4).

Author: Neil Schemenauer 
Date:   Mon Sep 7 00:42:51 2009 -0600

    Add session iterator.


Author: Neil Schemenauer 
Date:   Sun May 31 19:09:53 2009 -0600

    Add SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.

    Based on a suggestion from Emmanuel Dreyfus , add
    the SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY options.
    Setting them to true will cause the corresponding flag to be set
    on the session cookie.


--
Robert Ladyman
File-Away Limited
3 Ralston Business Centre, Newtyle, Blairgowrie
Perthshire  PH12 8TL SCOTLAND
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
http://www.file-away.co.uk

============================================
Registered Office: 32 Church Street, Newtyle, Blairgowrie
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number SC222086
reply