[mod_python] Secure Sessions

Jim Gallacher jpg at jgassociates.ca
Tue May 30 09:49:19 EDT 2006


marinus van aswegen wrote:
> Hi Jim
> 
> It's a good security practise not to permit the client to send a
> sessionid to a non secured (non https) sites, even if it's encrypted.
> I just wanted to do this with mod_python.

I understand the logic of it, but I got the impression that you may have 
thought this was already supported in the Cookie class, which it is not.

We've added a new req.is_https() method in the development branch and 
backported to the 3.2.x branch. This will be included in the 3.2.9 
release which we are hoping to get out in the next couple of weeks.

Jim


More information about the Mod_python mailing list