Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Session-State-Cookie CPAN distribution.

Report information
The Basics
Id: 46574
Status: open
Priority: 0/
Queue: Catalyst-Plugin-Session-State-Cookie

People
Owner: Nobody in particular
Requestors: kmx [...] volny.cz
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Proposal: extending cookie_secure configuration option
Date: Mon, 01 Jun 2009 13:36:29 +0200
To: bug-Catalyst-Plugin-Session-State-Cookie [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Hi, I have a sort of idea to extend cookie_secure option to support these values: 0 = do not set secure flag 1 = set secure flag (always) 2 = set secure flag only if the request that caused cookie generation was sent over https The patch would be something like this: - $cookie->{secure} = 1 if $cfg->{cookie_secure}; + my $sec = $cfg->{cookie_secure} || 0; + $cookie->{secure} = 1 if (($sec==1) || (($sec==2) && ($c->req->secure))); To me it would make much sense to have 2 as default. But I am not sure if you will like the whole idea. -- kmx
Subject: Re: [rt.cpan.org #46574] Proposal: extending cookie_secure configuration option
Date: Mon, 01 Jun 2009 12:57:07 +0100
To: bug-Catalyst-Plugin-Session-State-Cookie [...] rt.cpan.org
From: Tomas Doran <bobtfish [...] bobtfish.net>
kmx via RT wrote: Show quoted text
> 2 = set secure flag only if the request that caused cookie generation > was sent over https
Show quoted text
> To me it would make much sense to have 2 as default.
<snip>. Yes, sounds perfectly reasonable to me. Please commit with tests. ;) Cheers t0m
Show quoted text
> kmx via RT wrote:
> > 2 = set secure flag only if the request that caused cookie generation > > was sent over https
>
> > To me it would make much sense to have 2 as default.
Actually, this would be a bad default. Many sites use https on login to prevent the password from being sent plaintext across the net, but then revert to 'normal' http when the login is completed. Having 2 as the default would break this. The rest of the patch is fine, but the default should be to let the cookie be on both HTTP / HTTPS. Jay