Hi there! I use authkit module with Pylons and I see that session cookie it sets (aptly named authkit) is not set to be HttpOnly.
Is there a simple way to make it HttpOnly? (By "simple" I mean the one that does not involve hacking authkit's code.)
Hi there! I use authkit module with Pylons and I see that session cookie it sets (aptly named authkit) is not set to be HttpOnly.
Is there a simple way to make it HttpOnly? (By "simple" I mean the one that does not involve hacking authkit's code.)
This is not documented in authkit, because it only started working in Python 2.6 (see here), but if you do have Python 2.6 then
authkit.cookie.params.httponly = true
in the config should work and do what you desire.
authkit internally uses a Cookie.SimpleCookie
, and that's what limits the keys you can have for the authkit.cookie.params.
-- up to Python 2.5 they were only the keys supported by the standard, RFC 2109, but in Python 2.6 the useful httponly
extension was added -- which is how authkit gained support for it automatically... because, quite properly, it doesn't do its own checks but rather delegates all checks to SimpleCookie
.
If you're stuck with Python 2.5 or earlier, then to make this work will require a little more effort (not changing authkit, but monkeypatching Python's Cookie.py, or better, if feasible, installing a newer version of Cookie.py from the Python 2.6 sources in a directory that's earlier in sys.path than the directory for Python's own standard library).