Permalink
Browse files

CVE-2015-0256: Mark auth_ses cookie as secure

This cookie is used to skip authentication within 5 minutes.
If this is stolen, someone can steal you identity in FedOAuth.
  • Loading branch information...
puiterwijk committed Feb 4, 2015
1 parent f636524 commit 135c1c19418241634a93a3e6dbaa076e1f570da8
Showing with 3 additions and 1 deletion.
  1. +3 −1 fedoauth/auth/base.py
@@ -22,6 +22,7 @@
from flask import request, render_template
import logging

from fedoauth import APP
from fedoauth.model import Remembered


@@ -189,7 +190,8 @@ def save_success(self, user, remember=True):
self.full_name,
authsesid)
request.set_cookie('%s_auth_ses' % self.full_name,
signed_authsesid)
signed_authsesid,
secure=APP.config['GLOBAL']['cookies_secure'])
logger.debug('Cookie set')

logger.debug('Login complete')

0 comments on commit 135c1c1

Please sign in to comment.