Using secure cookies when logging in via SSL

Asked by mark burdett on 2009-04-08

I would like to know if it's possible to configure mailman to set "secure" cookies when users log in via HTTPS. The secure cookie flag prevents cookies created at from being sent over the wire unencrypted when the same user later visits Sending a cookie via HTTP, whether by tricking a user into visiting an HTTP URL on the same host and path, or when a user simply visits such a URL intentionally, can allow an eavesdropper or man-in-the-middle to hijack the authenticated session.

At is looks like it may be necessary to hack mailman by adding c[key]['secure'] = 'yes'

Question information

English Edit question
GNU Mailman Edit question
No assignee Edit question
Solved by:
Mark Sapiro
Last query:
Last reply:
Best Mark Sapiro (msapiro) said : #1

I think you've answered your own question. There is no configuration option/setting for this - you have to hack the code as you indicate.

mark burdett (mfb) said : #2

Thanks. It would be nice to have a config option to generate secure cookies if the connection is SSL..

mark burdett (mfb) said : #3

Thanks Mark Sapiro, that solved my question.

dkg (dkg0) said : #4

I've created a (very simple) patch that makes this a site-wide configuration option. It is posted at