Set secure and httponly on formplayer_session cookie
#35150
Conversation
dimagimon
added
the
Risk: Medium
nospame
requested review from
orangejenny,
MartinRiese,
AddisonDunn,
stephherbers,
Robert-Costello and
Jtang-1
as code owners
corehq/apps/cloudcare/middleware.py
Outdated
| FORMPLAYER_SESSION_COOKIE_NAME = 'formplayer_session' | ||
| FORMPLAYER_SESSION_COOKIE_HTTPONLY = settings.SESSION_COOKIE_HTTPONLY |
There was a problem hiding this comment.
Not worth changing, but just curious what made you put this in a var rather than reference settings.SESSION_COOKIE_HTTPONLY directly?
There was a problem hiding this comment.
Do you think it'd be nicer to just reference it directly? For me it feels like it represents a different concept, that whether the Formplayer session cookie should be httponly can be inferred based on whether the Django session cookie is httponly, but doesn't have to be based on that. I also thought about just setting it to True or even using httponly=True directly in set_cookie() - I think in practice they're all the same.
There was a problem hiding this comment.
Just wanted to check that the reasoning was along those lines. I don't have great context here, but from an initial read of this setting it seems like isn't that different of a concept? This is a session cookie, and we are using the SESSION_COOKIE_HTTPONLY settings when setting the httponly flag? It doesn't help that we don't use this setting anywhere else, but it seems like we should probably be referencing this same setting in other places where we set session cookies right?
There was a problem hiding this comment.
I think it depends whether we're taking "session cookie" to mean "a cookie tied to the session" or "Django's sessionid cookie". I'm fine with the former interpretation, since in practice we do want it do be the same. 1301079
Technical Summary
SAAS-15897
The
secureflag was found not to be set on theformplayer_sessioncookie - this was traced to an issue of middleware order and layering (see Django docs). Since theSecureCookiesMiddlewaremodifies cookies the response object, it should be listed above middleware that adds cookies. This is because middleware is processed as a stack, top -> bottom for the request, then bottom -> top for the response.Here I've moved the
SecureCookiesMiddlewareabove every middleware that seems to add cookies, though that may not be strictly necessary sinceSelectiveSessionMiddlewareandCsrfViewMiddlewarealso setsecurebased on their own settings.I've also set the
httponlyflag on theformplayer_sessioncookie as recommended in the ticket.Safety Assurance
Safety story
Tested locally and on staging to see that
secureis now set on theformplayer_sessioncookie according toSecureCookiesMiddleware, and additionally that it now affects thesessionidandcsrftokencookies.Also confirmed that
httponlyis now set for theformplayer_sessioncookie, which is appropriate here because we don't ever access it in javascript.Automated test coverage
There are existing automated tests for
SecureCookiesMiddlewarethough I haven't actually changed anything in that class.QA Plan
Not planning QA.
Rollback instructions
Labels & Review