Project

General

Profile

Development #71880

Poser une configuration minimale correcte pour les cookies CSRF et de session

Added by Benjamin Dauvergne 2 months ago. Updated about 1 month ago.

Status:
Solution déployée
Priority:
Normal
Category:
-
Target version:
-
Start date:
30 November 2022
Due date:
% Done:

0%

Estimated time:
Patch proposed:
Yes
Planning:
No

Description

Au minimum SESSION_COOKIE_SECURE=True, CSRF_COOKIE_SECURE=True, SESSION_COOKIE_SAMESITE='None' et CSRF_COOKIE_SAMESITE = 'Lax'.


Files


Related issues

Related to Authentic 2 - Bug #71788: Problème de déconnexion lors de connexions à certain SP en SAML2Fermé28 November 2022

Actions

Associated revisions

Revision d8d29e2d (diff)
Added by Benjamin Dauvergne 2 months ago

settings: set secure flag on cookies (#71880)

Tests fixes :
  • force https scheme in webtest HTTP client
  • add secure=True to call with the django HTTP client
  • replace http scheme by https in URLs assertions,
  • properly use response.form in tests directly using app.post, as CSRF checks on secure connection also test the Referrer
  • manually add Referer header in other cases,

Revision 4b3bcd01 (diff)
Added by Benjamin Dauvergne 2 months ago

settings: set samesite flag on cookies when possible (#71880)

History

#1

Updated by Benjamin Dauvergne 2 months ago

  • Related to Bug #71788: Problème de déconnexion lors de connexions à certain SP en SAML2 added
#2

Updated by Benjamin Dauvergne 2 months ago

  • Assignee set to Benjamin Dauvergne
#3

Updated by Benjamin Dauvergne 2 months ago

#7

Updated by Agate Berriot 2 months ago

  • Status changed from Solution proposée to Solution validée
#8

Updated by Benjamin Dauvergne 2 months ago

  • Status changed from Solution validée to Résolu (à déployer)
commit 4b3bcd01499a396a7a122b355a9dc95213eeb934
Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date:   Wed Nov 30 15:27:52 2022 +0100

    settings: set samesite flag on cookies when possible (#71880)

commit d8d29e2daa3733687710a7c5f185cceaf00bf011
Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date:   Wed Nov 30 14:43:02 2022 +0100

    settings: set secure flag on cookies (#71880)

    Tests fixes :
    * force https scheme in webtest HTTP client
    * add secure=True to call with the django HTTP client
    * replace http scheme by https in URLs assertions,
    * properly use response.form in tests directly using app.post, as CSRF checks on secure connection also test the Referrer
    * manually add Referer header in other cases,
#9

Updated by Transition automatique about 1 month ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF