-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set secure
and httponly
on formplayer_session
cookie
#35150
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing my past self's mistake 😁 good stuff!
corehq/apps/cloudcare/middleware.py
Outdated
FORMPLAYER_SESSION_COOKIE_NAME = 'formplayer_session' | ||
FORMPLAYER_SESSION_COOKIE_HTTPONLY = settings.SESSION_COOKIE_HTTPONLY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not worth changing, but just curious what made you put this in a var rather than reference settings.SESSION_COOKIE_HTTPONLY directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it'd be nicer to just reference it directly? For me it feels like it represents a different concept, that whether the Formplayer session cookie should be httponly
can be inferred based on whether the Django session cookie is httponly
, but doesn't have to be based on that. I also thought about just setting it to True
or even using httponly=True
directly in set_cookie()
- I think in practice they're all the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wanted to check that the reasoning was along those lines. I don't have great context here, but from an initial read of this setting it seems like isn't that different of a concept? This is a session cookie, and we are using the SESSION_COOKIE_HTTPONLY settings when setting the httponly flag? It doesn't help that we don't use this setting anywhere else, but it seems like we should probably be referencing this same setting in other places where we set session cookies right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it depends whether we're taking "session cookie" to mean "a cookie tied to the session" or "Django's sessionid
cookie". I'm fine with the former interpretation, since in practice we do want it do be the same. 1301079
Technical Summary
SAAS-15897
The
secure
flag was found not to be set on theformplayer_session
cookie - this was traced to an issue of middleware order and layering (see Django docs). Since theSecureCookiesMiddleware
modifies cookies the response object, it should be listed above middleware that adds cookies. This is because middleware is processed as a stack, top -> bottom for the request, then bottom -> top for the response.Here I've moved the
SecureCookiesMiddleware
above every middleware that seems to add cookies, though that may not be strictly necessary sinceSelectiveSessionMiddleware
andCsrfViewMiddleware
also setsecure
based on their own settings.I've also set the
httponly
flag on theformplayer_session
cookie as recommended in the ticket.Safety Assurance
Safety story
Tested locally and on staging to see that
secure
is now set on theformplayer_session
cookie according toSecureCookiesMiddleware
, and additionally that it now affects thesessionid
andcsrftoken
cookies.Also confirmed that
httponly
is now set for theformplayer_session
cookie, which is appropriate here because we don't ever access it in javascript.Automated test coverage
There are existing automated tests for
SecureCookiesMiddleware
though I haven't actually changed anything in that class.QA Plan
Not planning QA.
Rollback instructions
Labels & Review