Merge pull request #120 from alphagov/set-secure-cookie

Set secure cookie

app/its_dangerous_session.py

@@ -1,13 +1,15 @@
+from datetime import timedelta, datetime
+
 from werkzeug.datastructures import CallbackDict
 from flask.sessions import SessionInterface, SessionMixin
 from itsdangerous import URLSafeTimedSerializer, BadSignature
 
 
 class ItsdangerousSession(CallbackDict, SessionMixin):
-
     def __init__(self, initial=None):
         def on_update(self):
             self.modified = True
+
         CallbackDict.__init__(self, initial, on_update)
         self.modified = False
 
@@ -43,8 +45,9 @@ class ItsdangerousSessionInterface(SessionInterface):
                 response.delete_cookie(app.session_cookie_name,
                                        domain=domain)
             return
-        expires = self.get_expiration_time(app, session)
+        session.permanent = True
+        expires = datetime.utcnow() + timedelta(app.config.get('PERMANENT_SESSION_LIFETIME'))
         val = self.get_serializer(app).dumps(dict(session))
         response.set_cookie(app.session_cookie_name, val,
                             expires=expires, httponly=True,
-                            domain=domain)
+                            domain=domain, secure=app.config.get('SESSION_COOKIE_SECURE'))

config.py

@@ -20,7 +20,7 @@ class Config(object):
     SESSION_COOKIE_NAME = 'notify_admin_session'
     SESSION_COOKIE_PATH = '/admin'
     SESSION_COOKIE_HTTPONLY = True
-    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SECURE = False
     PERMANENT_SESSION_LIFETIME = 3600  # seconds
 
     API_HOST_NAME = os.getenv('API_HOST_NAME')
@@ -56,6 +56,8 @@ class Test(Development):
 class Live(Config):
     DEBUG = False
     HTTP_PROTOCOL = 'https'
+    SESSION_COOKIE_SECURE = True
+
 
 configs = {
     'live': Live,