misc: make opened session cookie http only and secure (#76809)

2023-04-20 13:43:32 +02:00 · 2023-04-20 13:43:32 +02:00 · 670481b026
parent ddec7aac6b
commit 670481b026
5 changed files with 2 additions and 7 deletions
--- a/debian/debian_config.py
+++ b/debian/debian_config.py
@ -119,8 +119,6 @@ LOGGING = {
    },
 }

-A2_OPENED_SESSION_COOKIE_SECURE = True
-

 # Old settings method
 def extract_settings_from_environ():
--- a/debian/multitenant/debian_config.py
+++ b/debian/multitenant/debian_config.py
@ -45,8 +45,6 @@ if 'syslog' in LOGGING['handlers']:
        'level': 'WARNING',
    }

-A2_OPENED_SESSION_COOKIE_SECURE = True
-
 A2_PASSWORD_POLICY_DICTIONARIES = {'richelieu': '/usr/share/authentic2/richelieu'}

 # Rest Authentication Class for services access
--- a/src/authentic2/app_settings.py
+++ b/src/authentic2/app_settings.py
@ -180,7 +180,6 @@ default_settings = dict(
    VALID_REFERERS=Setting(default=(), definition='List of prefix to match referers'),
    A2_OPENED_SESSION_COOKIE_NAME=Setting(default='A2_OPENED_SESSION', definition='Authentic session open'),
    A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(default=None),
-    A2_OPENED_SESSION_COOKIE_SECURE=Setting(default=False),
    A2_ATTRIBUTE_KINDS=Setting(default=(), definition='List of other attribute kinds'),
    A2_ATTRIBUTE_KIND_PROFILE_IMAGE_SIZE=Setting(
        default=200, definition='Width and height for a profile image'
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@ -76,7 +76,8 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
                    value=uuid.uuid4().hex,
                    max_age=None,
                    domain=domain,
-                    secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
+                    secure=settings.SESSION_COOKIE_SECURE,
+                    httponly=True,
                    samesite='Lax',
                )
        elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
--- a/tests/test_login.py
+++ b/tests/test_login.py
@ -572,7 +572,6 @@ def test_login_opened_session_cookie(db, app, settings, simple_user):
    login(app, simple_user)
    assert 'A2_OPENED_SESSION' in app.cookies

-    settings.A2_OPENED_SESSION_COOKIE_SECURE = True
    app.cookiejar.clear()
    login(app, simple_user)
    assert 'A2_OPENED_SESSION' in app.cookies