From 05d988349cd06049a289544d2b6cf2f64b4e6f0c Mon Sep 17 00:00:00 2001
From: adamscmRH <rooftopcellist@gmail.com>
Date: Tue, 20 Nov 2018 10:13:53 -0500
Subject: [PATCH] make current_user ck secure and httponly

---
 awx/api/generics.py                                    |  3 +--
 awx/sso/views.py                                       |  3 ++-
 .../authenticationServices/authentication.service.js   | 10 +++++++---
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/awx/api/generics.py b/awx/api/generics.py
index 75f1698e2d..abd0ae679d 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -92,8 +92,7 @@ class LoggedLoginView(auth_views.LoginView):
             current_user = UserSerializer(self.request.user)
             current_user = JSONRenderer().render(current_user.data)
             current_user = urllib.quote('%s' % current_user, '')
-            ret.set_cookie('current_user', current_user)
-
+            ret.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
             return ret
         else:
             ret.status_code = 401
diff --git a/awx/sso/views.py b/awx/sso/views.py
index 39163e7c6d..5fb993a794 100644
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -13,6 +13,7 @@ from django.views.generic.base import RedirectView
 from django.utils.encoding import smart_text
 from awx.api.serializers import UserSerializer
 from rest_framework.renderers import JSONRenderer
+from django.conf import settings
 
 logger = logging.getLogger('awx.sso.views')
 
@@ -45,7 +46,7 @@ class CompleteView(BaseRedirectView):
             current_user = UserSerializer(self.request.user)
             current_user = JSONRenderer().render(current_user.data)
             current_user = urllib.quote('%s' % current_user, '')
-            response.set_cookie('current_user', current_user)
+            response.set_cookie('current_user', current_user, secure=settings.SESSION_COOKIE_SECURE or None)
         return response
 
 
diff --git a/awx/ui/client/src/login/authenticationServices/authentication.service.js b/awx/ui/client/src/login/authenticationServices/authentication.service.js
index fa7ff2a2fa..568adeb3fc 100644
--- a/awx/ui/client/src/login/authenticationServices/authentication.service.js
+++ b/awx/ui/client/src/login/authenticationServices/authentication.service.js
@@ -16,9 +16,9 @@
 
 export default
     ['$http', '$rootScope', '$cookies', 'GetBasePath', 'Store', '$q',
-    '$injector',
+    '$injector', '$location',
     function ($http, $rootScope, $cookies, GetBasePath, Store, $q,
-    $injector) {
+    $injector, $location) {
         return {
             setToken: function (token, expires) {
                 $cookies.remove('token_expires');
@@ -147,7 +147,11 @@ export default
             setUserInfo: function (response) {
                 // store the response values in $rootScope so we can get to them later
                 $rootScope.current_user = response.results[0];
-                $cookies.putObject('current_user', response.results[0]); //keep in session cookie in the event of browser refresh
+                if ($location.protocol() === 'https') {
+                  $cookies.putObject('current_user', response.results[0], {secure: true}); //keep in session cookie in the event of browser refresh
+                } else {
+                $cookies.putObject('current_user', response.results[0], {secure: false});
+              }
             },
 
             restoreUserInfo: function () {