From 670481b026e2e37c3779b9a5ab6160aa8f37fb96 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 20 Apr 2023 13:43:32 +0200
Subject: [PATCH] misc: make opened session cookie http only and secure
 (#76809)

---
 debian/debian_config.py             | 2 --
 debian/multitenant/debian_config.py | 2 --
 src/authentic2/app_settings.py      | 1 -
 src/authentic2/middleware.py        | 3 ++-
 tests/test_login.py                 | 1 -
 5 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/debian/debian_config.py b/debian/debian_config.py
index 8b0371fb4..d8d0217c1 100644
--- a/debian/debian_config.py
+++ b/debian/debian_config.py
@@ -119,8 +119,6 @@ LOGGING = {
     },
 }
 
-A2_OPENED_SESSION_COOKIE_SECURE = True
-
 
 # Old settings method
 def extract_settings_from_environ():
diff --git a/debian/multitenant/debian_config.py b/debian/multitenant/debian_config.py
index 140f895da..a44e0c058 100644
--- a/debian/multitenant/debian_config.py
+++ b/debian/multitenant/debian_config.py
@@ -45,8 +45,6 @@ if 'syslog' in LOGGING['handlers']:
         'level': 'WARNING',
     }
 
-A2_OPENED_SESSION_COOKIE_SECURE = True
-
 A2_PASSWORD_POLICY_DICTIONARIES = {'richelieu': '/usr/share/authentic2/richelieu'}
 
 # Rest Authentication Class for services access
diff --git a/src/authentic2/app_settings.py b/src/authentic2/app_settings.py
index e889da2f3..d992b07a9 100644
--- a/src/authentic2/app_settings.py
+++ b/src/authentic2/app_settings.py
@@ -180,7 +180,6 @@ default_settings = dict(
     VALID_REFERERS=Setting(default=(), definition='List of prefix to match referers'),
     A2_OPENED_SESSION_COOKIE_NAME=Setting(default='A2_OPENED_SESSION', definition='Authentic session open'),
     A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(default=None),
-    A2_OPENED_SESSION_COOKIE_SECURE=Setting(default=False),
     A2_ATTRIBUTE_KINDS=Setting(default=(), definition='List of other attribute kinds'),
     A2_ATTRIBUTE_KIND_PROFILE_IMAGE_SIZE=Setting(
         default=200, definition='Width and height for a profile image'
diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py
index 199023fd7..7a7ec60dc 100644
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@@ -76,7 +76,8 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
                     value=uuid.uuid4().hex,
                     max_age=None,
                     domain=domain,
-                    secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
+                    secure=settings.SESSION_COOKIE_SECURE,
+                    httponly=True,
                     samesite='Lax',
                 )
         elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
diff --git a/tests/test_login.py b/tests/test_login.py
index d9c546dfe..8620f8675 100644
--- a/tests/test_login.py
+++ b/tests/test_login.py
@@ -572,7 +572,6 @@ def test_login_opened_session_cookie(db, app, settings, simple_user):
     login(app, simple_user)
     assert 'A2_OPENED_SESSION' in app.cookies
 
-    settings.A2_OPENED_SESSION_COOKIE_SECURE = True
     app.cookiejar.clear()
     login(app, simple_user)
     assert 'A2_OPENED_SESSION' in app.cookies