[ic] Make MV_PASSWORD secure if set on secure page

Jon Jensen jon at endpoint.com
Thu Jul 12 20:03:42 UTC 2012 

Josh,

Unless I'm missing something, we need some documentation for this. You 
seem to be introducing a new UserDB option "secure_cookies" but there's no 
instruction on how to use it, or that it even exists.

Additions to the xmldocs repo, the catalog.cfg examples, and explanation 
in the commit message would all help.

Thanks,
Jon


On Thu, 12 Jul 2012, Josh Lavin wrote:

> https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6
>
> --- a/lib/Vend/UserDB.pm
> +++ b/lib/Vend/UserDB.pm
> @@ -1572,7 +1572,7 @@ sub login {
>                                                );
>                }
>
> -               username_cookies($self->{PASSED_USERNAME} ||
>                $self->{USERNAME}, $pw)
> +               username_cookies($self->{PASSED_USERNAME} ||
> $self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
>                        if $Vend::Cfg->{CookieLogin};
>
>                if ($self->{LOCATION}{LAST} ne 'none') {
> @@ -1998,7 +1998,7 @@ sub new_account {
>                else {
>                        $self->set_values() unless
> $self->{OPTIONS}{no_set};
>                        $self->{USERNAME} = $foreign if $foreign;
> -                       username_cookies($self->{USERNAME}, $pw)
> +                       username_cookies($self->{USERNAME}, $pw,
> $self->{OPTIONS}{secure_cookies})
>                                if $Vend::Cfg->{CookieLogin};
>
>                        $self->log('new account') if $options{'log'};
> @@ -2026,7 +2026,7 @@ sub new_account {
> }
>
> sub username_cookies {
> -               my ($user, $pw) = @_;
> +               my ($user, $pw, $secure) = @_;
>                return unless
>                         $CGI::values{mv_cookie_password}
> or
>                         $CGI::values{mv_cookie_username}
> or
> @@ -2034,13 +2034,14 @@ sub username_cookies {
>                         Vend::Util::read_cookie('MV_USERNAME');
>                $::Instance->{Cookies} = [] unless defined
> $::Instance->{Cookies};
>                my $exp = time() + $Vend::Cfg->{SaveExpire};
> +               $secure ||= $CGI::secure;
>                push @{$::Instance->{Cookies}},
>                        ['MV_USERNAME', $user, $exp];
>                return unless
>                        $CGI::values{mv_cookie_password}
> or
>                        Vend::Util::read_cookie('MV_PASSWORD');
>                push @{$::Instance->{Cookies}},
> -                       ['MV_PASSWORD', $pw, $exp];
> +                       ['MV_PASSWORD', $pw, $exp, undef, undef,
> $secure];
>                return;
> }

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/
+1 507-399-0057

More information about the interchange-users mailing list