How to set `secure` and `httpOnly` for Plones `__a

2019-07-24 07:23发布

I have Plone 4.3.2 (Zope 2.13.21) installed. As mentioned in the documentation (http://plone.org/documentation/kb/securing-plone) cookies should be secure and httpOnly with Zope 2.12 or higher.

Also note that the suggested patch has been included in Zope 2.12.0 b1, so Plone 4, which will use Zope 2.12 or higher, won't have this problem

But if I log in as admin (or another user that is defined at zope-root) the __ac cookie is not secure and not httpOnly. If I log in as a user created in a site everything is fine. Is there a way to change this?

1条回答
The star\"
2楼-- · 2019-07-24 07:45

First off, to set cookie settings in Plone:

  • append /manage onto your plone site url
  • click "acl_users"
  • click "session"
  • click "properties" tab

Then, as for root login, it depends on where you login.

Zope root does not implement a cookie plugin, it only logs in with basic auth. IMO, you should never have zope root accessible without first tunneling or using a VPN to get into it.

Finally, you can disable credentials_basic_auth plugin from your plone site.

查看更多
登录 后发表回答