Using secure cookies when logging in via SSL

Asked by mark burdett

I would like to know if it's possible to configure mailman to set "secure" cookies when users log in via HTTPS. The secure cookie flag prevents cookies created at from being sent over the wire unencrypted when the same user later visits Sending a cookie via HTTP, whether by tricking a user into visiting an HTTP URL on the same host and path, or when a user simply visits such a URL intentionally, can allow an eavesdropper or man-in-the-middle to hijack the authenticated session.

At is looks like it may be necessary to hack mailman by adding c[key]['secure'] = 'yes'

Question information

English Edit question
GNU Mailman Edit question
No assignee Edit question
Solved by:
Mark Sapiro
Last query:
Last reply:
Revision history for this message
Best Mark Sapiro (msapiro) said :

I think you've answered your own question. There is no configuration option/setting for this - you have to hack the code as you indicate.

Revision history for this message
mark burdett (mfb) said :

Thanks. It would be nice to have a config option to generate secure cookies if the connection is SSL..

Revision history for this message
mark burdett (mfb) said :

Thanks Mark Sapiro, that solved my question.

Revision history for this message
dkg (dkg0) said :

I've created a (very simple) patch that makes this a site-wide configuration option. It is posted at