Mercurial > p > roundup > code
changeset 8168:3f0f4746dc7e
issue2551370 - prefix session cookie with __Secure- over https
Limit use of roundup session cookie to HTTPS protocol by adding
__Secure- prefix. Automatic testing includes http behavior only.
Https behavious has been manually tested only. Need to be able to spin
up an https server using wsgiref to test https behavior in CI.
issue 2551373 opened to track automatic testing of https behavior.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 26 Nov 2024 17:11:13 -0500 |
| parents | eaec1297a142 |
| children | 627c5d6a0551 |
| files | CHANGES.txt doc/upgrading.txt roundup/cgi/client.py test/test_liveserver.py |
| diffstat | 4 files changed, 35 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Tue Nov 26 15:25:01 2024 -0500 +++ b/CHANGES.txt Tue Nov 26 17:11:13 2024 -0500 @@ -45,6 +45,8 @@ one-by-one (using the check function) but instead offload the permission checks to the database. For SQL backends this performs the filtering in the database. (Ralf Schlatterbeck) +- issue2551370 - mark roundup session cookie with __Secure- + prefix. (John Rouillard) 2024-07-13 2.4.0
--- a/doc/upgrading.txt Tue Nov 26 15:25:01 2024 -0500 +++ b/doc/upgrading.txt Tue Nov 26 17:11:13 2024 -0500 @@ -133,6 +133,21 @@ at the top of both files. The icing macro used in other tracker templates was renamed to frame in this tracker template. +More secure session cookie handling (info) +------------------------------------------ + +This affects you if you are accessing a tracker via https. The name +for the cookie that you get when logging into the web interface has a +new name. When upgrading to Roundup 2.5 all users will have to to log +in again. The cookie now has a ``__Secure-`` prefix to prevent it +from being exposed/used over http. + +If your tracker is using the unencrypted http protocol, nothing has +changed. + +See +https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes +for details on this security measure. .. index:: Upgrading; 2.3.0 to 2.4.0
--- a/roundup/cgi/client.py Tue Nov 26 15:25:01 2024 -0500 +++ b/roundup/cgi/client.py Tue Nov 26 17:11:13 2024 -0500 @@ -190,8 +190,12 @@ self.session_db = client.db.getSessionManager() # parse cookies for session id - self.cookie_name = 'roundup_session_%s' % \ - re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME) + if self.client.secure: + cookie_template = '__Secure-roundup_session_%s' + else: + cookie_template = 'roundup_session_%s' + self.cookie_name = cookie_template % \ + re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME) cookies = LiberalCookie(client.env.get('HTTP_COOKIE', '')) if self.cookie_name in cookies: try:
--- a/test/test_liveserver.py Tue Nov 26 15:25:01 2024 -0500 +++ b/test/test_liveserver.py Tue Nov 26 17:11:13 2024 -0500 @@ -176,6 +176,18 @@ return session return session, response + def test_cookie_attributes(self): + session, _response = self.create_login_session() + + cookie_box = session.cookies._cookies['localhost.local']['/'] + cookie = cookie_box['roundup_session_Roundupissuetracker'] + + # check cookie attributes. This is an http session, so + # we can't check secure or see cookie with __Secure- prefix 8-(. + self.assertEqual(cookie.name, 'roundup_session_Roundupissuetracker') + self.assertEqual(cookie.expires, None) # session cookie + self.assertEqual(cookie._rest['HttpOnly'], None) # flag is present + self.assertEqual(cookie._rest['SameSite'], 'Lax') def test_query(self): current_user_query = (