From 7d98a3c119d25d5fc409cfa0f01e3724284b0869 Mon Sep 17 00:00:00 2001 From: nospame Date: Fri, 20 Sep 2024 08:33:45 -0700 Subject: [PATCH 1/3] Make formplayer_session cookie httponly --- corehq/apps/cloudcare/middleware.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/corehq/apps/cloudcare/middleware.py b/corehq/apps/cloudcare/middleware.py index b59bfa96ef20..98a14f0d07ee 100644 --- a/corehq/apps/cloudcare/middleware.py +++ b/corehq/apps/cloudcare/middleware.py @@ -1,7 +1,8 @@ +from django.conf import settings from django.utils.deprecation import MiddlewareMixin - FORMPLAYER_SESSION_COOKIE_NAME = 'formplayer_session' +FORMPLAYER_SESSION_COOKIE_HTTPONLY = settings.SESSION_COOKIE_HTTPONLY class CloudcareMiddleware(MiddlewareMixin): @@ -27,4 +28,5 @@ def _set_formplayer_session_cookie(request, response): couch_user = getattr(request, 'couch_user', None) if couch_user: if request.COOKIES.get(FORMPLAYER_SESSION_COOKIE_NAME) != couch_user.user_id: - response.set_cookie(FORMPLAYER_SESSION_COOKIE_NAME, couch_user.user_id) + response.set_cookie(FORMPLAYER_SESSION_COOKIE_NAME, couch_user.user_id, + httponly=FORMPLAYER_SESSION_COOKIE_HTTPONLY) From f189561d890903286180e716358bf54c2fec56ad Mon Sep 17 00:00:00 2001 From: nospame Date: Fri, 20 Sep 2024 09:11:15 -0700 Subject: [PATCH 2/3] Reorder SecureCookiesMiddleware and add docstring --- corehq/middleware.py | 4 ++++ settings.py | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/corehq/middleware.py b/corehq/middleware.py index 6d3d98633672..1e9049c2352f 100644 --- a/corehq/middleware.py +++ b/corehq/middleware.py @@ -340,6 +340,10 @@ def get_view_func(view_fn, view_kwargs): class SecureCookiesMiddleware(MiddlewareMixin): + """Sets `secure` flag for cookies on the response object. + Must be come before middleware that adds cookies, because of order and layering. + https://docs.djangoproject.com/en/4.2/topics/http/middleware/#middleware-order-and-layering + """ def process_response(self, request, response): if hasattr(response, 'cookies') and response.cookies: diff --git a/settings.py b/settings.py index 988b3b796eba..988d419508a1 100755 --- a/settings.py +++ b/settings.py @@ -146,6 +146,7 @@ MIDDLEWARE = [ 'corehq.middleware.NoCacheMiddleware', + 'corehq.middleware.SecureCookiesMiddleware', 'corehq.middleware.SelectiveSessionMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.common.CommonMiddleware', @@ -171,8 +172,6 @@ 'no_exceptions.middleware.NoExceptionsMiddleware', 'corehq.apps.locations.middleware.LocationAccessMiddleware', 'corehq.apps.cloudcare.middleware.CloudcareMiddleware', - # middleware that adds cookies must come before SecureCookiesMiddleware - 'corehq.middleware.SecureCookiesMiddleware', 'field_audit.middleware.FieldAuditMiddleware', ] From 1301079fd23954e92d2deed1dd36f72331251431 Mon Sep 17 00:00:00 2001 From: nospame Date: Fri, 20 Sep 2024 13:29:09 -0700 Subject: [PATCH 3/3] Remove redundant constant --- corehq/apps/cloudcare/middleware.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/corehq/apps/cloudcare/middleware.py b/corehq/apps/cloudcare/middleware.py index 98a14f0d07ee..0954c4eb6db3 100644 --- a/corehq/apps/cloudcare/middleware.py +++ b/corehq/apps/cloudcare/middleware.py @@ -2,7 +2,6 @@ from django.utils.deprecation import MiddlewareMixin FORMPLAYER_SESSION_COOKIE_NAME = 'formplayer_session' -FORMPLAYER_SESSION_COOKIE_HTTPONLY = settings.SESSION_COOKIE_HTTPONLY class CloudcareMiddleware(MiddlewareMixin): @@ -29,4 +28,4 @@ def _set_formplayer_session_cookie(request, response): if couch_user: if request.COOKIES.get(FORMPLAYER_SESSION_COOKIE_NAME) != couch_user.user_id: response.set_cookie(FORMPLAYER_SESSION_COOKIE_NAME, couch_user.user_id, - httponly=FORMPLAYER_SESSION_COOKIE_HTTPONLY) + httponly=settings.SESSION_COOKIE_HTTPONLY)