blob: cf6a99db21e8391a1848fdbeebf60639eca62f13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 5d6ce3671318c8d32bab770ece841590bbec358d Mon Sep 17 00:00:00 2001
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
Date: Fri, 17 Apr 2015 13:08:32 -0700
Subject: [PATCH] Set secure cookie by default if login handler is hit.
backport of https://github.com/jupyter/jupyter_notebook/pull/22 b8e99bc
> There is few chances that logged-in people do not use https connexion,
> but I guess it can happened if the server is ran in front of a proxy
> that does the https termination, so leave it configurable.
>
> closes ipython/ipython#8325
---
IPython/html/auth/login.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/IPython/html/auth/login.py b/IPython/html/auth/login.py
index 1ad4673..1a340c8 100644
--- a/IPython/html/auth/login.py
+++ b/IPython/html/auth/login.py
@@ -46,7 +46,13 @@ class LoginHandler(IPythonHandler):
pwd = self.get_argument('password', default=u'')
if self.login_available:
if passwd_check(self.password, pwd):
- self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()))
+ # tornado <4.2 have a bug that consider secure==True as soon as
+ # 'secure' kwarg is passed to set_secure_cookie
+ if self.settings.get('secure_cookie', self.request.protocol == 'https'):
+ kwargs = {'secure':True}
+ else:
+ kwargs = {}
+ self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs)
else:
self._render(message={'error': 'Invalid password'})
return
|
GitWeb
