Set secure to not app.debug

Siecje · Sep 26, 2017 · 264eb7a · 264eb7a
1 parent 1ab1112
commit 264eb7a
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/authenticator.py b/authenticator.py
@@ -80,9 +80,12 @@ def login():
             resp = make_response(redirect(target))
 
             secure = True if app.debug is False else False
+            # Secure limits cookies to HTTPS traffic only.
+            # HttpOnly prevents JavaScript from reading the cookie
             resp.set_cookie('token', auth_token,
-                            secure=app.debug,
-                            httponly=True)
+                            secure=secure,
+                            httponly=True,
+                            )
 
             # Set headers that will be received by the service for this request
             resp.headers['Location'] = target