From 1ba46be7104e36613ad2d57b0c032f533fada359 Mon Sep 17 00:00:00 2001 From: Jordan Milne Date: Thu, 7 Aug 2014 19:04:27 -0300 Subject: [PATCH] Force HTTPS: Check the value of the 'secure_session' cookie --- r2/r2/controllers/reddit_base.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/r2/r2/controllers/reddit_base.py b/r2/r2/controllers/reddit_base.py index b25b43112..515607e4e 100644 --- a/r2/r2/controllers/reddit_base.py +++ b/r2/r2/controllers/reddit_base.py @@ -709,11 +709,16 @@ def set_hsts(max_age): response.headers["Strict-Transport-Security"] = hsts_val +def have_secure_session_cookie(): + cookie = c.cookies.get("secure_session", None) + return cookie and cookie.value == "1" + + def hsts_eligible(): # When we're on HTTP, the secure_session cookie is the only way we can # prove the user wants HSTS. return (c.user.https_forced or - ("secure_session" in c.cookies and not c.secure)) + (not c.secure and have_secure_session_cookie())) def hsts_modify_redirect(url): @@ -751,7 +756,7 @@ def enforce_https(): # Since users invalidate their old cookies when they enable the pref # themselves, this should only be hit when the pref is involuntarily # toggled. - if "secure_session" not in c.cookies: + if not have_secure_session_cookie(): # HSTS might not be set up properly, but we can't force a grant # here because of badly behaved clients that will just never # send a "secure_session" cookie. @@ -769,7 +774,7 @@ def enforce_https(): if c.secure: # User disabled HTTPS forcing under another session or their # session became invalid and they're left with this dangling cookie. - if "secure_session" in c.cookies: + if have_secure_session_cookie(): change_user_cookie_security(False) need_grant = True