From 5a17bba97e6d7955b4231344ea643c7b7ac22dcd Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Thu, 28 Jan 2016 15:01:44 +0000 Subject: [PATCH 1/3] Set SESSION_COOKIE_SECURE=True for live. --- app/its_dangerous_session.py | 2 +- config.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/its_dangerous_session.py b/app/its_dangerous_session.py index d281b32d9..a5e6f6699 100644 --- a/app/its_dangerous_session.py +++ b/app/its_dangerous_session.py @@ -47,4 +47,4 @@ class ItsdangerousSessionInterface(SessionInterface): val = self.get_serializer(app).dumps(dict(session)) response.set_cookie(app.session_cookie_name, val, expires=expires, httponly=True, - domain=domain) + domain=domain, secure=app.config.get('SESSION_COOKIE_SECURE')) diff --git a/config.py b/config.py index b810d9229..81b40b715 100644 --- a/config.py +++ b/config.py @@ -56,6 +56,8 @@ class Test(Development): class Live(Config): DEBUG = False HTTP_PROTOCOL = 'https' + SESSION_COOKIE_SECURE = True + configs = { 'live': Live, From 54a61ac9286b7956374a4236d3d6ff494a211057 Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Thu, 28 Jan 2016 15:31:32 +0000 Subject: [PATCH 2/3] Update the cookie to secure on LIVE Set the expiration of the cookie. --- app/its_dangerous_session.py | 5 ++++- config.py | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/its_dangerous_session.py b/app/its_dangerous_session.py index a5e6f6699..27b4890a6 100644 --- a/app/its_dangerous_session.py +++ b/app/its_dangerous_session.py @@ -1,3 +1,5 @@ +from datetime import timedelta, datetime + from werkzeug.datastructures import CallbackDict from flask.sessions import SessionInterface, SessionMixin from itsdangerous import URLSafeTimedSerializer, BadSignature @@ -43,7 +45,8 @@ class ItsdangerousSessionInterface(SessionInterface): response.delete_cookie(app.session_cookie_name, domain=domain) return - expires = self.get_expiration_time(app, session) + session.permanent=True + expires= datetime.utcnow() + timedelta(app.config.get('PERMANENT_SESSION_LIFETIME')) val = self.get_serializer(app).dumps(dict(session)) response.set_cookie(app.session_cookie_name, val, expires=expires, httponly=True, diff --git a/config.py b/config.py index 81b40b715..e8d51e092 100644 --- a/config.py +++ b/config.py @@ -20,7 +20,7 @@ class Config(object): SESSION_COOKIE_NAME = 'notify_admin_session' SESSION_COOKIE_PATH = '/admin' SESSION_COOKIE_HTTPONLY = True - SESSION_COOKIE_SECURE = True + SESSION_COOKIE_SECURE = False PERMANENT_SESSION_LIFETIME = 3600 # seconds API_HOST_NAME = os.getenv('API_HOST_NAME') From 595a17b780373168a32d1bf11826ec305a6b06cf Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Thu, 28 Jan 2016 15:36:18 +0000 Subject: [PATCH 3/3] Fix checkstyle --- app/its_dangerous_session.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/its_dangerous_session.py b/app/its_dangerous_session.py index 27b4890a6..25f7aef20 100644 --- a/app/its_dangerous_session.py +++ b/app/its_dangerous_session.py @@ -6,10 +6,10 @@ from itsdangerous import URLSafeTimedSerializer, BadSignature class ItsdangerousSession(CallbackDict, SessionMixin): - def __init__(self, initial=None): def on_update(self): self.modified = True + CallbackDict.__init__(self, initial, on_update) self.modified = False @@ -45,8 +45,8 @@ class ItsdangerousSessionInterface(SessionInterface): response.delete_cookie(app.session_cookie_name, domain=domain) return - session.permanent=True - expires= datetime.utcnow() + timedelta(app.config.get('PERMANENT_SESSION_LIFETIME')) + session.permanent = True + expires = datetime.utcnow() + timedelta(app.config.get('PERMANENT_SESSION_LIFETIME')) val = self.get_serializer(app).dumps(dict(session)) response.set_cookie(app.session_cookie_name, val, expires=expires, httponly=True,