From df54fe874787402bb4e07534931f108ae003a996 Mon Sep 17 00:00:00 2001 From: Michael Tipton Date: Wed, 10 Apr 2024 15:53:52 -0400 Subject: [PATCH 1/2] Add ability to set SameSite policy for userLoggedIn cookie --- awx/api/generics.py | 2 +- awx/settings/defaults.py | 3 +++ awx/sso/views.py | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/awx/api/generics.py b/awx/api/generics.py index 7c7fda877ec2..b9eeb9d2cfb3 100644 --- a/awx/api/generics.py +++ b/awx/api/generics.py @@ -95,7 +95,7 @@ def post(self, request, *args, **kwargs): ret = super(LoggedLoginView, self).post(request, *args, **kwargs) if request.user.is_authenticated: logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None)))) - ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False)) + ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')) ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid')) return ret diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 751e41973026..c9270863543c 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -277,6 +277,9 @@ # Note: This setting may be overridden by database settings. SESSION_COOKIE_AGE = 1800 +# Option to change userLoggedIn cookie SameSite policy. +USER_COOKIE_SAMESITE = 'Lax' + # Name of the cookie that contains the session information. # Note: Changing this value may require changes to any clients. SESSION_COOKIE_NAME = 'awx_sessionid' diff --git a/awx/sso/views.py b/awx/sso/views.py index c23ee4428adc..e45f5996e68f 100644 --- a/awx/sso/views.py +++ b/awx/sso/views.py @@ -38,7 +38,7 @@ def dispatch(self, request, *args, **kwargs): response = super(CompleteView, self).dispatch(request, *args, **kwargs) if self.request.user and self.request.user.is_authenticated: logger.info(smart_str(u"User {} logged in".format(self.request.user.username))) - response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False)) + response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')) response.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid')) return response From 656312845f0e29eff37e40c3c4ce87c3b29a97d8 Mon Sep 17 00:00:00 2001 From: Michael Tipton Date: Wed, 10 Apr 2024 17:07:14 -0400 Subject: [PATCH 2/2] reformat line for linter --- awx/api/generics.py | 4 +++- awx/sso/views.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/awx/api/generics.py b/awx/api/generics.py index b9eeb9d2cfb3..c51470c1a414 100644 --- a/awx/api/generics.py +++ b/awx/api/generics.py @@ -95,7 +95,9 @@ def post(self, request, *args, **kwargs): ret = super(LoggedLoginView, self).post(request, *args, **kwargs) if request.user.is_authenticated: logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None)))) - ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')) + ret.set_cookie( + 'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax') + ) ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid')) return ret diff --git a/awx/sso/views.py b/awx/sso/views.py index e45f5996e68f..b6fd724df7dd 100644 --- a/awx/sso/views.py +++ b/awx/sso/views.py @@ -38,7 +38,9 @@ def dispatch(self, request, *args, **kwargs): response = super(CompleteView, self).dispatch(request, *args, **kwargs) if self.request.user and self.request.user.is_authenticated: logger.info(smart_str(u"User {} logged in".format(self.request.user.username))) - response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')) + response.set_cookie( + 'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax') + ) response.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid')) return response