[ic] Make MV_PASSWORD secure if set on secure page

Josh Lavin josh at perusion.net
Fri Jul 13 16:57:42 UTC 2012 

Quoting Jon Jensen (jon at endpoint.com):
> Josh,
> 
> Unless I'm missing something, we need some documentation for this.
> You seem to be introducing a new UserDB option "secure_cookies" but
> there's no instruction on how to use it, or that it even exists.
> 
> Additions to the xmldocs repo, the catalog.cfg examples, and
> explanation in the commit message would all help.

Here's a patch for xmldocs:
https://github.com/jlavin/xmldocs/commit/bb5b2952a69627746e0acfb6a93b47f51f617a06


> On Thu, 12 Jul 2012, Josh Lavin wrote:
> 
> >https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6
> >
> >--- a/lib/Vend/UserDB.pm
> >+++ b/lib/Vend/UserDB.pm
> >@@ -1572,7 +1572,7 @@ sub login {
> >                                               );
> >               }
> >
> >-               username_cookies($self->{PASSED_USERNAME} ||
> >               $self->{USERNAME}, $pw)
> >+               username_cookies($self->{PASSED_USERNAME} ||
> >$self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
> >                       if $Vend::Cfg->{CookieLogin};
> >
> >               if ($self->{LOCATION}{LAST} ne 'none') {
> >@@ -1998,7 +1998,7 @@ sub new_account {
> >               else {
> >                       $self->set_values() unless
> >$self->{OPTIONS}{no_set};
> >                       $self->{USERNAME} = $foreign if $foreign;
> >-                       username_cookies($self->{USERNAME}, $pw)
> >+                       username_cookies($self->{USERNAME}, $pw,
> >$self->{OPTIONS}{secure_cookies})
> >                               if $Vend::Cfg->{CookieLogin};
> >
> >                       $self->log('new account') if $options{'log'};
> >@@ -2026,7 +2026,7 @@ sub new_account {
> >}
> >
> >sub username_cookies {
> >-               my ($user, $pw) = @_;
> >+               my ($user, $pw, $secure) = @_;
> >               return unless
> >                        $CGI::values{mv_cookie_password}
> >or
> >                        $CGI::values{mv_cookie_username}
> >or
> >@@ -2034,13 +2034,14 @@ sub username_cookies {
> >                        Vend::Util::read_cookie('MV_USERNAME');
> >               $::Instance->{Cookies} = [] unless defined
> >$::Instance->{Cookies};
> >               my $exp = time() + $Vend::Cfg->{SaveExpire};
> >+               $secure ||= $CGI::secure;
> >               push @{$::Instance->{Cookies}},
> >                       ['MV_USERNAME', $user, $exp];
> >               return unless
> >                       $CGI::values{mv_cookie_password}
> >or
> >                       Vend::Util::read_cookie('MV_PASSWORD');
> >               push @{$::Instance->{Cookies}},
> >-                       ['MV_PASSWORD', $pw, $exp];
> >+                       ['MV_PASSWORD', $pw, $exp, undef, undef,
> >$secure];
> >               return;
> >}
>

More information about the interchange-users mailing list