Greetings.
See this ticket for some background:
https://fedorahosted.org/fedora-infrastructure/ticket/3022
I have tested all these in staging, so I don't think there will be any issues with anything, but if so we can always revert pretty easily. I also set secure on all our TG1 apps that didn't have that set.
+1s?
kevin -- diff --git a/modules/bodhi/templates/bodhi-prod.cfg.erb b/modules/bodhi/templates/bodhi-prod.cfg.erb index 9c176de..d554253 100644 --- a/modules/bodhi/templates/bodhi-prod.cfg.erb +++ b/modules/bodhi/templates/bodhi-prod.cfg.erb @@ -71,6 +71,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True
# Our identity that we use to fetch bugzilla details and such bodhi_password='<%= bodhiBugzillaPassword %>' diff --git a/modules/elections/templates/elections-prod.cfg.erb b/modules/elections/templates/elections-prod.cfg.erb index d1bfc24..0b379fd 100644 --- a/modules/elections/templates/elections-prod.cfg.erb +++ b/modules/elections/templates/elections-prod.cfg.erb @@ -45,6 +45,9 @@ autoreload.on=False autoreload.package="elections" server.log_to_screen=False
+visit.cookie.secure = True +visit.cookie.httponly = True + # Auto-Reload after code modification # autoreload.on = True
diff --git a/modules/fas/templates/fas.cfg.erb b/modules/fas/templates/fas.cfg.erb index 08b58ff..3232b40 100644 --- a/modules/fas/templates/fas.cfg.erb +++ b/modules/fas/templates/fas.cfg.erb @@ -117,7 +117,7 @@ server.log_to_screen = False # Make the session cookie only return to the host over an SSL link visit.cookie.secure = True session_filter.cookie_secure = True - +visit.cookie.httponly = True
### ### Communicating to other services diff --git a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb index 32c3d91..a3674b6 100644 --- a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb +++ b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb @@ -61,6 +61,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True
mirrormanager.admin_group = 'sysadmin-web' mirrormanager.max_stale_days = 2 diff --git a/modules/smolt/templates/prod.cfg.erb b/modules/smolt/templates/prod.cfg.erb index 0e10dbd..2c34b3d 100644 --- a/modules/smolt/templates/prod.cfg.erb +++ b/modules/smolt/templates/prod.cfg.erb @@ -60,6 +60,9 @@ tg.strict_parameters = True tg.ignore_parameters = ["_csrf_token"] tg.scheduler = True
+visit.cookie.secure = True +visit.cookie.httponly = True + # LOGGING # Logging configuration generally follows the style of the standard # Python logging module configuration. Note that when specifying
On Fri, 23 Mar 2012 12:22:04 -0600 Kevin Fenzi kevin@scrye.com wrote:
Greetings.
See this ticket for some background:
https://fedorahosted.org/fedora-infrastructure/ticket/3022
I have tested all these in staging, so I don't think there will be any issues with anything, but if so we can always revert pretty easily. I also set secure on all our TG1 apps that didn't have that set.
+1s?
kevin
diff --git a/modules/bodhi/templates/bodhi-prod.cfg.erb b/modules/bodhi/templates/bodhi-prod.cfg.erb index 9c176de..d554253 100644 --- a/modules/bodhi/templates/bodhi-prod.cfg.erb +++ b/modules/bodhi/templates/bodhi-prod.cfg.erb @@ -71,6 +71,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True
# Our identity that we use to fetch bugzilla details and such bodhi_password='<%= bodhiBugzillaPassword %>' diff --git a/modules/elections/templates/elections-prod.cfg.erb b/modules/elections/templates/elections-prod.cfg.erb index d1bfc24..0b379fd 100644 --- a/modules/elections/templates/elections-prod.cfg.erb +++ b/modules/elections/templates/elections-prod.cfg.erb @@ -45,6 +45,9 @@ autoreload.on=False autoreload.package="elections" server.log_to_screen=False
+visit.cookie.secure = True +visit.cookie.httponly = True
# Auto-Reload after code modification # autoreload.on = True
diff --git a/modules/fas/templates/fas.cfg.erb b/modules/fas/templates/fas.cfg.erb index 08b58ff..3232b40 100644 --- a/modules/fas/templates/fas.cfg.erb +++ b/modules/fas/templates/fas.cfg.erb @@ -117,7 +117,7 @@ server.log_to_screen = False # Make the session cookie only return to the host over an SSL link visit.cookie.secure = True session_filter.cookie_secure = True
+visit.cookie.httponly = True
### ### Communicating to other services diff --git a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb index 32c3d91..a3674b6 100644 --- a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb +++ b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb @@ -61,6 +61,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True mirrormanager.admin_group = 'sysadmin-web' mirrormanager.max_stale_days = 2 diff --git a/modules/smolt/templates/prod.cfg.erb b/modules/smolt/templates/prod.cfg.erb index 0e10dbd..2c34b3d 100644 --- a/modules/smolt/templates/prod.cfg.erb +++ b/modules/smolt/templates/prod.cfg.erb @@ -60,6 +60,9 @@ tg.strict_parameters = True tg.ignore_parameters = ["_csrf_token"] tg.scheduler = True
+visit.cookie.secure = True +visit.cookie.httponly = True
# LOGGING # Logging configuration generally follows the style of the standard # Python logging module configuration. Note that when specifying
+1
-sv
+1
-Toshio On Fri, Mar 23, 2012 at 02:23:09PM -0400, seth vidal wrote:
On Fri, 23 Mar 2012 12:22:04 -0600 Kevin Fenzi kevin@scrye.com wrote:
Greetings.
See this ticket for some background:
https://fedorahosted.org/fedora-infrastructure/ticket/3022
I have tested all these in staging, so I don't think there will be any issues with anything, but if so we can always revert pretty easily. I also set secure on all our TG1 apps that didn't have that set.
+1s?
kevin
diff --git a/modules/bodhi/templates/bodhi-prod.cfg.erb b/modules/bodhi/templates/bodhi-prod.cfg.erb index 9c176de..d554253 100644 --- a/modules/bodhi/templates/bodhi-prod.cfg.erb +++ b/modules/bodhi/templates/bodhi-prod.cfg.erb @@ -71,6 +71,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True
# Our identity that we use to fetch bugzilla details and such bodhi_password='<%= bodhiBugzillaPassword %>' diff --git a/modules/elections/templates/elections-prod.cfg.erb b/modules/elections/templates/elections-prod.cfg.erb index d1bfc24..0b379fd 100644 --- a/modules/elections/templates/elections-prod.cfg.erb +++ b/modules/elections/templates/elections-prod.cfg.erb @@ -45,6 +45,9 @@ autoreload.on=False autoreload.package="elections" server.log_to_screen=False
+visit.cookie.secure = True +visit.cookie.httponly = True
# Auto-Reload after code modification # autoreload.on = True
diff --git a/modules/fas/templates/fas.cfg.erb b/modules/fas/templates/fas.cfg.erb index 08b58ff..3232b40 100644 --- a/modules/fas/templates/fas.cfg.erb +++ b/modules/fas/templates/fas.cfg.erb @@ -117,7 +117,7 @@ server.log_to_screen = False # Make the session cookie only return to the host over an SSL link visit.cookie.secure = True session_filter.cookie_secure = True
+visit.cookie.httponly = True
### ### Communicating to other services diff --git a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb index 32c3d91..a3674b6 100644 --- a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb +++ b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb @@ -61,6 +61,7 @@ identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity" visit.manager="jsonfas2" visit.saprovider.model="fedora.accounts.tgfas.Visit" visit.cookie.secure = True +visit.cookie.httponly = True mirrormanager.admin_group = 'sysadmin-web' mirrormanager.max_stale_days = 2 diff --git a/modules/smolt/templates/prod.cfg.erb b/modules/smolt/templates/prod.cfg.erb index 0e10dbd..2c34b3d 100644 --- a/modules/smolt/templates/prod.cfg.erb +++ b/modules/smolt/templates/prod.cfg.erb @@ -60,6 +60,9 @@ tg.strict_parameters = True tg.ignore_parameters = ["_csrf_token"] tg.scheduler = True
+visit.cookie.secure = True +visit.cookie.httponly = True
# LOGGING # Logging configuration generally follows the style of the standard # Python logging module configuration. Note that when specifying
+1
-sv
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
infrastructure@lists.fedoraproject.org