Use wsgi.url_scheme to determine secure connections

Cito · Cito · commit 5a9e91bfe0cd · 2021-01-21T12:45:06.000+01:00
As a WSGI application, Webware 3 should check wsgi.url_scheme
instead of the HTTPS environment variable in order to reliably
detect secure connections.

Note that mod_wsgi even removes the HTTPS environment variable.
diff --git a/webware/HTTPRequest.py b/webware/HTTPRequest.py
@@ -152,7 +152,7 @@ def protocol(self):
 
     def isSecure(self):
         """Check whether this is a HTTPS connection."""
-        return self._environ.get('HTTPS', '').lower() == 'on'
+        return self._environ.get('wsgi.url_scheme') == 'https'
 
     # endregion Security
 
diff --git a/webware/HTTPResponse.py b/webware/HTTPResponse.py
@@ -404,7 +404,7 @@ def recordSession(self):
                 return
         cookie = Cookie(app.sessionName(trans), identifier)
         cookie.setPath(app.sessionCookiePath(trans))
-        if trans.request().isSecure():
+        if request.isSecure():
             cookie.setSecure(app.setting('SecureSessionCookie'))
         self.addCookie(cookie)
         if debug:
diff --git a/webware/Testing/TestIMS.py b/webware/Testing/TestIMS.py
@@ -33,8 +33,7 @@ def writeContent(self):
         d = self.request().serverDictionary()
         self._host = d['HTTP_HOST']  # includes the port
         self._httpConnection = (
-            http.client.HTTPSConnection
-            if d.get('HTTPS', '').lower() == 'on'
+            http.client.HTTPSConnection if d.get('wsgi.url_scheme') == 'https'
             else http.client.HTTPConnection)
         servletPath = self.request().servletPath()
         # pick a static file which is served up by Webware's UnknownFileHandler
