cookies: Set secure attribute for all cookies

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/__init__.py b/src/web/__init__.py
index f8cfef6997e846201bfd8e4fc0e490081fbb357f..d46e2bcea1f726fae8886d411e994c05ea2030cf 100644 (file)
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -105,6 +105,9 @@ class Application(tornado.web.Application):
                                "make_url"           : self.make_url,
                        },
                        xsrf_cookies = True,
+                       xsrf_cookie_kwargs = dict(
+                               secure = True,
+                       ),
                )
                settings.update(kwargs)
 

diff --git a/src/web/auth.py b/src/web/auth.py
index 622147ab0f33817941d33c9b192494ff7d2ba47a..33d22b2b6e5f79537a097518642c5998a8eb99ea 100644 (file)
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -37,7 +37,7 @@ class LoginHandler(base.KerberosAuthMixin, base.BaseHandler):
                                self.current_address, user_agent=self.user_agent)
 
                # Send the session cookie to the browser
-               self.set_cookie("session_id", session.session_id, expires=session.valid_until)
+               self.set_cookie("session_id", session.session_id, secure=True, expires=session.valid_until)
 
                # If there is "next" given, we redirect the user accordingly
                next = self.get_argument("next", None)