After a security report, I've been asked to provide a secure session cookie.
I am using pyramid_beaker.session_factory_from_settings() and was lucky(?) to be able to set the httponly with ('session.httponly', True)
, but ('session.secure', True)
does not provide the second option.
Is it possible to do it?
Pointers to the different session.*
settings much appreciated also.
EDIT: I found a list in beaker.utils.coerce_session_params()
Thanks.
EDIT: I think i got the problem. I am using in development:
http_server = simple_server.make_server('0.0.0.0', no_port, app)
http_server.serve_forever()
, so the cookie is not sent because I am not in HTTPS. I need to set up an HTTPs server for this.
Sorry, is there a question here? It sounds like you answered the original one and are now looking at making your development setup work under https? Personally I tend to worry about that only on my staging server (where nginx handles the certificates), but in my development.ini locally I do not make cookies secure.