CVE-2015-0256: Mark auth_ses cookie as secure

This cookie is used to skip authentication within 5 minutes. If this is stolen, someone can steal you identity in FedOAuth.
FedOAuth · Feb 4, 2015 · 135c1c1 · 135c1c1
1 parent f636524
commit 135c1c1
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/fedoauth/auth/base.py b/fedoauth/auth/base.py
@@ -22,6 +22,7 @@
 from flask import request, render_template
 import logging
 
+from fedoauth import APP
 from fedoauth.model import Remembered
 
 
@@ -189,7 +190,8 @@ def save_success(self, user, remember=True):
                                 self.full_name,
                                 authsesid)
             request.set_cookie('%s_auth_ses' % self.full_name,
-                               signed_authsesid)
+                               signed_authsesid,
+                               secure=APP.config['GLOBAL']['cookies_secure'])
             logger.debug('Cookie set')
 
         logger.debug('Login complete')