[Checkins] SVN: zope.session/trunk/ Enable support for HttpOnly cookies.

Tres Seaver tseaver at palladion.com
Thu Aug 11 16:01:38 EDT 2011 

Log message for revision 122550:
  Enable support for HttpOnly cookies.
  
  Addresses LP #824355.
  

Changed:
  U   zope.session/trunk/CHANGES.txt
  U   zope.session/trunk/src/zope/session/http.py

-=-
Modified: zope.session/trunk/CHANGES.txt
===================================================================
--- zope.session/trunk/CHANGES.txt	2011-08-11 19:53:19 UTC (rev 122549)
+++ zope.session/trunk/CHANGES.txt	2011-08-11 20:01:38 UTC (rev 122550)
@@ -4,6 +4,8 @@
 3.9.5 (unreleased)
 ------------------
 
+- LP #824355:  enable support for HttpOnly cookies.
+
 - Fix a bug in zope.session.session.Session that would trigger an
   infinite loop if either iteration or a containment test were
   attempted on an instance.

Modified: zope.session/trunk/src/zope/session/http.py
===================================================================
--- zope.session/trunk/src/zope/session/http.py	2011-08-11 19:53:19 UTC (rev 122549)
+++ zope.session/trunk/src/zope/session/http.py	2011-08-11 20:01:38 UTC (rev 122550)
@@ -123,6 +123,13 @@
         default=False,
         )
 
+    httpOnly = schema.Bool(
+        title=_('The cookie cannot be accessed through client side scripts'),
+        required=False,
+        default=False,
+        )
+
+
 class CookieClientIdManager(zope.location.Location, Persistent):
     """Session utility implemented using cookies."""
 
@@ -134,6 +141,7 @@
     postOnly = FieldProperty(ICookieClientIdManager['postOnly'])
     domain = FieldProperty(ICookieClientIdManager['domain'])
     namespace = FieldProperty(ICookieClientIdManager['namespace'])
+    httpOnly = FieldProperty(ICookieClientIdManager['httpOnly'])
 
     def __init__(self, namespace=None, secret=None):
         """Create the cookie-based cleint id manager
@@ -482,6 +490,16 @@
           >>> request.response.getHeader('Expires')
           'Mon, 26 Jul 1997 05:00:00 GMT'
 
+        If the httpOnly attribute is set to a true value, then the
+        HttpOnly cookie option is included.
+
+          >>> request = HTTPRequest(StringIO(''), {}, None)
+          >>> bim.secure = False
+          >>> bim.httpOnly = True
+          >>> bim.setRequestId(request, '1234')
+          >>> print request.response.getCookie(bim.namespace)
+          {'path': '/', 'domain': u'.example.org', 'value': '1234', 'httponly': True}
+
         """
         # TODO: Currently, the path is the ApplicationURL. This is reasonable,
         #     and will be adequate for most purposes.
@@ -514,6 +532,9 @@
         if self.domain:
             options['domain'] = self.domain
 
+        if self.httpOnly:
+            options['HttpOnly'] = True
+
         response.setCookie(
             self.namespace, id,
             path=request.getApplicationURL(path_only=True),

More information about the checkins mailing list