[Zope-Checkins] SVN: Zope/trunk/ Extended BrowserIdManager to expose the 'HTTPOnly' attribute for its cookie.

Tres Seaver tseaver at palladion.com
Tue Apr 28 12:51:58 EDT 2009


Log message for revision 99562:
  Extended BrowserIdManager to expose the 'HTTPOnly' attribute for its cookie.
  
  o Via https://bugs.launchpad.net/zope2/+bug/367393 
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/Products/Sessions/BrowserIdManager.py
  U   Zope/trunk/src/Products/Sessions/dtml/addIdManager.dtml
  U   Zope/trunk/src/Products/Sessions/dtml/manageIdManager.dtml
  U   Zope/trunk/src/Products/Sessions/tests/testBrowserIdManager.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2009-04-28 16:50:18 UTC (rev 99561)
+++ Zope/trunk/doc/CHANGES.rst	2009-04-28 16:51:58 UTC (rev 99562)
@@ -21,6 +21,9 @@
 Features Added
 ++++++++++++++
 
+- Extended BrowserIdManager to expose the 'HTTPOnly' attribute for its
+  cookie. Also via https://bugs.launchpad.net/zope2/+bug/367393 .
+
 - Addeed support for an optional 'HTTPOnly' attribute of cookies (see
   http://www.owasp.org/index.php/HTTPOnly).  Patch from Stephan Hofmockel,
   via https://bugs.launchpad.net/zope2/+bug/367393 .

Modified: Zope/trunk/src/Products/Sessions/BrowserIdManager.py
===================================================================
--- Zope/trunk/src/Products/Sessions/BrowserIdManager.py	2009-04-28 16:50:18 UTC (rev 99561)
+++ Zope/trunk/src/Products/Sessions/BrowserIdManager.py	2009-04-28 16:51:58 UTC (rev 99562)
@@ -70,12 +70,13 @@
 def constructBrowserIdManager(
     self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId',
     location=('cookies', 'form'), cookiepath='/', cookiedomain='',
-    cookielifedays=0, cookiesecure=0, auto_url_encoding=0, REQUEST=None
+    cookielifedays=0, cookiesecure=0, cookiehttponly=0, auto_url_encoding=0,
+    REQUEST=None
     ):
     """ """
     ob = BrowserIdManager(id, title, idname, location, cookiepath,
                           cookiedomain, cookielifedays, cookiesecure,
-                          auto_url_encoding)
+                          cookiehttponly, auto_url_encoding)
     self._setObject(id, ob)
     ob = self._getOb(id)
     if REQUEST is not None:
@@ -115,7 +116,7 @@
     def __init__(self, id, title='', idname='_ZopeId',
                  location=('cookies', 'form'), cookiepath=('/'),
                  cookiedomain='', cookielifedays=0, cookiesecure=0,
-                 auto_url_encoding=0):
+                 cookiehttponly=0, auto_url_encoding=0):
         self.id = str(id)
         self.title = str(title)
         self.setBrowserIdName(idname)
@@ -124,6 +125,7 @@
         self.setCookieDomain(cookiedomain)
         self.setCookieLifeDays(cookielifedays)
         self.setCookieSecure(cookiesecure)
+        self.setCookieHTTPOnly(cookiehttponly)
         self.setAutoUrlEncoding(auto_url_encoding)
 
     def manage_afterAdd(self, item, container):
@@ -278,7 +280,7 @@
     def manage_changeBrowserIdManager(
         self, title='', idname='_ZopeId', location=('cookies', 'form'),
         cookiepath='/', cookiedomain='', cookielifedays=0, cookiesecure=0,
-        auto_url_encoding=0, REQUEST=None
+        cookiehttponly=0, auto_url_encoding=0,  REQUEST=None
         ):
         """ """
         self.title = str(title)
@@ -287,6 +289,7 @@
         self.setCookieDomain(cookiedomain)
         self.setCookieLifeDays(cookielifedays)
         self.setCookieSecure(cookiesecure)
+        self.setCookieHTTPOnly(cookiehttponly)
         self.setBrowserIdNamespaces(location)
         self.setAutoUrlEncoding(auto_url_encoding)
         self.updateTraversalData()
@@ -377,6 +380,16 @@
         """ """
         return self.cookie_domain
 
+    security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieHTTPOnly')
+    def setCookieHTTPOnly(self, http_only):
+        """ sets cookie 'HTTPOnly' on or off """
+        self.cookie_http_only = bool(http_only)
+
+    security.declareProtected(ACCESS_CONTENTS_PERM, 'getCookieHTTPOnly')
+    def getCookieHTTPOnly(self):
+        """ retrieve the 'HTTPOnly' flag """
+        return self.cookie_http_only
+
     security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure')
     def setCookieSecure(self, secure):
         """ sets cookie 'secure' element for id cookie """
@@ -387,7 +400,7 @@
         """ """
         return self.cookie_secure
 
-    security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure')
+    security.declareProtected(CHANGE_IDMGR_PERM, 'setAutoUrlEncoding')
     def setAutoUrlEncoding(self, auto_url_encoding):
         """ sets 'auto url encoding' on or off """
         self.auto_url_encoding = not not auto_url_encoding
@@ -424,8 +437,11 @@
             expires = now() + self.cookie_life_days * 86400
             # Wdy, DD-Mon-YYYY HH:MM:SS GMT
             expires = strftime('%a %d-%b-%Y %H:%M:%S GMT',gmtime(expires))
+        
+        # cookie attributes managed by BrowserIdManager
         d = {'domain':self.cookie_domain,'path':self.cookie_path,
-             'secure':self.cookie_secure,'expires':expires}
+             'secure':self.cookie_secure,'http_only': self.cookie_http_only,
+             'expires':expires}
 
         if self.cookie_secure:
             URL1 = REQUEST.get('URL1', None)

Modified: Zope/trunk/src/Products/Sessions/dtml/addIdManager.dtml
===================================================================
--- Zope/trunk/src/Products/Sessions/dtml/addIdManager.dtml	2009-04-28 16:50:18 UTC (rev 99561)
+++ Zope/trunk/src/Products/Sessions/dtml/addIdManager.dtml	2009-04-28 16:51:58 UTC (rev 99562)
@@ -150,6 +150,16 @@
     <INPUT TYPE="checkbox" NAME="cookiesecure">
   </TD>
 </TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+    <div class="form-label">
+      Make cookie not aviable from JavaScript
+    </div>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+    <INPUT TYPE="checkbox" NAME="cookiehttponly">
+  </TD>
+</TR>
 
 
 </TR> <TR> <TD></TD> <TD>

Modified: Zope/trunk/src/Products/Sessions/dtml/manageIdManager.dtml
===================================================================
--- Zope/trunk/src/Products/Sessions/dtml/manageIdManager.dtml	2009-04-28 16:50:18 UTC (rev 99561)
+++ Zope/trunk/src/Products/Sessions/dtml/manageIdManager.dtml	2009-04-28 16:51:58 UTC (rev 99562)
@@ -134,11 +134,23 @@
      <dtml-if getCookieSecure>CHECKED</dtml-if>>
   </TD>
 </TR>
+
 <TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+    <div class="form-label">
+      Make cookie not aviable from JavaScript 
+    </div>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+    <INPUT TYPE="checkbox" NAME="cookiehttponly"
+     <dtml-if getCookieHTTPOnly>CHECKED</dtml-if>>
+  </TD>
+</TR>
+
+<TR>
   <TD></TD>
   <TD><BR><INPUT class="form-element" TYPE="SUBMIT" VALUE=" Change "></TD>
 </TR>
 </TABLE>
 </FORM>
 <dtml-var manage_page_footer>
-

Modified: Zope/trunk/src/Products/Sessions/tests/testBrowserIdManager.py
===================================================================
--- Zope/trunk/src/Products/Sessions/tests/testBrowserIdManager.py	2009-04-28 16:50:18 UTC (rev 99561)
+++ Zope/trunk/src/Products/Sessions/tests/testBrowserIdManager.py	2009-04-28 16:51:58 UTC (rev 99562)
@@ -116,6 +116,10 @@
         self.m.setCookieSecure(1)
         self.failUnless( self.m.getCookieSecure() == 1 )
 
+    def testSetCookieHTTPOnly(self):
+        self.m.setCookieHTTPOnly(True)
+        self.assertEqual( self.m.getCookieHTTPOnly(), True )
+
     def testGetBrowserIdCookie(self):
         token = self.m.getBrowserId()
         self.m.REQUEST.browser_id_ = token
@@ -223,6 +227,29 @@
                     (keystring, key))
         self.failUnless( html == expected )
 
+    def testHTTPOnlyCookieAttribute(self):
+        self.m.setCookieHTTPOnly(True)
+        self.failUnless(self.m.getBrowserId())
+        resp_cookies = self.req.RESPONSE.cookies
+        session_cookie = resp_cookies[self.m.browserid_name]
+        self.assertEqual(session_cookie['http_only'], True)
+
+    def testSecureCookieAttribute_correct_url(self):
+        self.m.setCookieSecure(1)
+        self.req['URL1'] = 'https://www.test.org'
+        self.failUnless(self.m.getBrowserId())
+        resp_cookies = self.req.RESPONSE.cookies
+        session_cookie = resp_cookies[self.m.browserid_name]
+        self.assertEqual(session_cookie['secure'], True)
+
+    # This test document the 'feature':
+    # return a browser ID but dont set the cookie 
+    def testSecureCookieAttribute_wrong_url(self):
+        self.m.setCookieSecure(1)
+        self.req['URL1'] = 'http://www.test.org'
+        self.failUnless(self.m.getBrowserId())
+        self.assertEqual( self.req.RESPONSE.cookies, {} )
+    
     def testAutoUrlEncoding(self):
         self.m.setAutoUrlEncoding(1)
         self.m.setBrowserIdNamespaces(('url',))



More information about the Zope-Checkins mailing list