--- a/cubicweb/web/application.py Fri Jan 20 16:53:28 2017 +0100
+++ b/cubicweb/web/application.py Mon Jan 23 11:02:21 2017 +0100
@@ -125,8 +125,6 @@
"""return a string giving the name of the cookie used to store the
session identifier.
"""
- if req.https:
- return '__%s_https_session' % self.vreg.config.appid
return '__%s_session' % self.vreg.config.appid
def get_session(self, req):
@@ -158,7 +156,7 @@
def open_session(self, req):
session = self.session_manager.open_session(req)
sessioncookie = self.session_cookie(req)
- secure = req.https and req.base_url().startswith('https://')
+ secure = req.base_url().startswith('https://')
req.set_cookie(sessioncookie, session.sessionid,
maxage=None, secure=secure, httponly=True)
if not session.anonymous_session:
@@ -334,27 +332,20 @@
content = self.redirect_handler(req, ex)
# Wrong, absent or Reseted credential
except AuthenticationError:
- # If there is an https url configured and
- # the request does not use https, redirect to login form
- https_url = self.vreg.config['https-url']
- if https_url and req.base_url() != https_url:
- req.status_out = http_client.SEE_OTHER
- req.headers_out.setHeader('location', https_url + 'login')
+ # We assume here that in http auth mode the user *May* provide
+ # Authentification Credential if asked kindly.
+ if self.vreg.config['auth-mode'] == 'http':
+ req.status_out = http_client.UNAUTHORIZED
+ # In the other case (coky auth) we assume that there is no way
+ # for the user to provide them...
+ # XXX But WHY ?
else:
- # We assume here that in http auth mode the user *May* provide
- # Authentification Credential if asked kindly.
- if self.vreg.config['auth-mode'] == 'http':
- req.status_out = http_client.UNAUTHORIZED
- # In the other case (coky auth) we assume that there is no way
- # for the user to provide them...
- # XXX But WHY ?
- else:
- req.status_out = http_client.FORBIDDEN
- # If previous error handling already generated a custom content
- # do not overwrite it. This is used by LogOut Except
- # XXX ensure we don't actually serve content
- if not content:
- content = self.need_login_content(req)
+ req.status_out = http_client.FORBIDDEN
+ # If previous error handling already generated a custom content
+ # do not overwrite it. This is used by LogOut Except
+ # XXX ensure we don't actually serve content
+ if not content:
+ content = self.need_login_content(req)
assert isinstance(content, binary_type)
return content