Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Patch for #349 #350

Closed
wants to merge 1 commit into from

3 participants

@paulbjensen
Owner

See issue: #349 (reference)

@rednaxus

hi Paul, giving a look at this, I'm not sure I see where you detect the kind of server it is... if http it should be secure:false, if https, should be secure:true

@paulbjensen
Owner

Hi Rednaxus,

At the time I simply wanted to make sure users could patch the security hole ASAP. I didn't give consideration to auto-detecting the server protocol and setting the value that way. I will have a look and see if it's possible.

@rednaxus

i just hacked something, like whenever it's https it has a key/certificate, that kind of stuff, if you look closer at the http and https objects they'll have something a little more obvious

@owenb

Hi Paul

Let me know if you can do the HTTP/HTTPS detection. If not I'll merge this in and have a look before releasing it.

Owen

@paulbjensen
Owner

I had a very brief look last night but I couldn't find a way from within http/index or session/index. The next chance I'll get to look at this is this evening.

@paulbjensen
Owner

An update. I'm probably not going to get a chance to implement a way of auto-detecting the server protocol and setting the secure flag in the session options. Would anyone else like to have a pop at implementing this?

@owenb owenb closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 2, 2013
  1. @paulbjensen

    patch for issue #349

    paulbjensen authored
This page is out of date. Refresh to see the latest.
View
3  lib/http/index.js
@@ -59,7 +59,8 @@ module.exports = function(root) {
cookie: {
path: '/',
httpOnly: false,
- maxAge: sessionOptions.maxAge
+ maxAge: sessionOptions.maxAge,
+ secure: sessionOptions.secure
},
store: sessionStore
}));
View
3  lib/session/index.js
@@ -10,7 +10,8 @@ subscriptions = require('../websocket/subscriptions');
sessionStore = new connect.session.MemoryStore;
exports.options = {
- maxAge: null
+ maxAge: null,
+ secure: false
};
exports.store = {
View
2  src/http/index.coffee
@@ -55,7 +55,7 @@ module.exports = (root) ->
.use(connect.cookieParser('SocketStream'))
.use(connect.favicon(staticPath + '/favicon.ico'))
.use(connect.session(
- cookie: { path: '/', httpOnly: false, maxAge: sessionOptions.maxAge },
+ cookie: { path: '/', httpOnly: false, maxAge: sessionOptions.maxAge , secure: sessionOptions.secure},
store: sessionStore
))
View
3  src/session/index.coffee
@@ -12,7 +12,8 @@ sessionStore = new connect.session.MemoryStore
# Expose options which can be changed in your app
exports.options =
- maxAge: null # by default session exists for duration of user agent (e.g. until browser is closed)
+ maxAge: null # by default session exists for duration of user agent (e.g. until browser is closed)
+ secure: false # enable this to ensure that cookies cannot be tampered with across protocols aka MITM attacks
# Allow use of any Connect Session Store
exports.store =
Something went wrong with that request. Please try again.