[英]pyramid_beaker httponly and secure cookie
After a security report, I've been asked to provide a secure session cookie. 在收到安全报告后,系统要求我提供安全的会话cookie。
I am using pyramid_beaker.session_factory_from_settings() and was lucky(?) to be able to set the httponly with ('session.httponly', True)
, but ('session.secure', True)
does not provide the second option. 我正在使用pyramid_beaker.session_factory_from_settings(),很幸运(?)能够使用
('session.httponly', True)
设置httponly,但('session.secure', True)
不提供第二个选项。
Is it possible to do it? 有可能做到吗?
Pointers to the different session.*
settings much appreciated also. 指向不同
session.*
指针session.*
设置也非常感谢。
EDIT: I found a list in beaker.utils.coerce_session_params()
编辑:我在
beaker.utils.coerce_session_params()
找到一个列表
Thanks. 谢谢。
EDIT: I think i got the problem. 编辑:我认为我有问题。 I am using in development:
我在开发中使用:
http_server = simple_server.make_server('0.0.0.0', no_port, app)
http_server.serve_forever()
, so the cookie is not sent because I am not in HTTPS.
Sorry, is there a question here? 抱歉,这有问题吗? It sounds like you answered the original one and are now looking at making your development setup work under https?
听起来您已经回答了最初的一个,现在正在考虑使您的开发设置在https下工作? Personally I tend to worry about that only on my staging server (where nginx handles the certificates), but in my development.ini locally I do not make cookies secure.
我个人倾向于担心仅在我的登台服务器(nginx处理证书)上,但是在我的development.ini中,我不会使cookie安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.