pyramid_beaker httponly and secure cookie

Question

After a security report, I've been asked to provide a secure session cookie.

I am using pyramid_beaker.session_factory_from_settings() and was lucky(?) to be able to set the httponly with ('session.httponly', True), but ('session.secure', True) does not provide the second option.

Is it possible to do it?

Pointers to the different session.* settings much appreciated also.

EDIT: I found a list in beaker.utils.coerce_session_params()

Thanks.

EDIT: I think i got the problem. I am using in development:

        http_server = simple_server.make_server('0.0.0.0', no_port, app)
        http_server.serve_forever()

, so the cookie is not sent because I am not in HTTPS. I need to set up an HTTPs server for this.

Answer 1

Sorry, is there a question here? It sounds like you answered the original one and are now looking at making your development setup work under https? Personally I tend to worry about that only on my staging server (where nginx handles the certificates), but in my development.ini locally I do not make cookies secure.