fix session cookie behaviour to be more private for not logged-in users, fixes #96

the bug was that it used a permanent cookie for not-logged in users and only switched it to a session cookie when you logged in (and did not check the remember me checkbox). now it uses (non-permanent) session cookies by default and switches to the permanent cookie only if you tell so when logging in and checking that checkbox.
2013-11-28 09:14:16 +01:00 · 2013-11-28 09:14:16 +01:00 · 4589dd512b
commit 4589dd512b
parent 9a8163de97
3 changed files with 9 additions and 8 deletions
--- a/docs/security.rst
+++ b/docs/security.rst
@ -128,10 +128,10 @@ If you have set WE_HAVE_SSL to True (because you run the software on a https
 site), you should also set *_COOKIE_SECURE to True to avoid the cookies getting
 transmitted via http.

-For local account logins, we use a session cookie by default (gets cleared when
-you close the browser). If you check the "Keep me logged in checkbox" on the
-login screen, then we'll set a permanent cookie with a lifetime as configured
-by the site admin (SESSION_COOKIE_AGE, default: 14 days).
+We use a session cookie by default (gets cleared when you close the browser).
+If you check the "Keep me logged in" checkbox on the login screen, then we'll
+set a permanent cookie with a lifetime as configured by the site admin
+(SESSION_COOKIE_AGE, default: 14 days).

 Be careful with domain cookies
 ------------------------------
--- a/nsupdate/settings.py
+++ b/nsupdate/settings.py
@ -253,8 +253,8 @@ SESSION_COOKIE_NAME = 'sessionid'
 SESSION_COOKIE_PATH = '/'
 SESSION_COOKIE_SECURE = False  # use True here if you have set WE_HAVE_SSL = True
 SESSION_COOKIE_HTTPONLY = True
-SESSION_COOKIE_AGE = 14 * 24 * 3600  # 2 weeks, in seconds (remember_me is True)
-SESSION_EXPIRE_AT_BROWSER_CLOSE = False  # more safe (remember_me is False)
+SESSION_COOKIE_AGE = 14 * 24 * 60 * 60  # 14 days, in seconds (remember_me is True)
+SESSION_EXPIRE_AT_BROWSER_CLOSE = True  # more safe (remember_me is False)

 SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'

--- a/nsupdate/urls.py
+++ b/nsupdate/urls.py
@ -1,3 +1,4 @@
+from django.conf import settings
 from django.conf.urls import patterns, include, url
 from django.contrib import admin
 from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm
@ -16,8 +17,8 @@ def remember_me_login(request, *args, **kw):
    when the browser is closed.
    """
    if request.method == 'POST':
-        if not request.POST.get('remember_me'):
-            request.session.set_expiry(0)
+        if request.POST.get('remember_me'):
+            request.session.set_expiry(settings.SESSION_COOKIE_AGE)
    return auth_views.login(request, *args, **kw)