From 5cd029df96efeea36369b7d58eb0e88dba07750c Mon Sep 17 00:00:00 2001
From: Michael Tipton <36353334+CastawayEGR@users.noreply.github.com>
Date: Wed, 17 Jan 2024 09:36:06 -0500
Subject: [PATCH] =?UTF-8?q?Add=20secure=20flag=20option=20for=20userLogged?=
 =?UTF-8?q?In=20cookie=20if=20SESSION=5FCOOKIE=5FSECU=E2=80=A6=20(#14762)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add secure flag option for userLoggedIn cookie if SESSION_COOKIE_SECURE set to True
---
 awx/api/generics.py | 4 ++--
 awx/sso/views.py    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/awx/api/generics.py b/awx/api/generics.py
index 1081b02c72..cb875db5b0 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -91,7 +91,7 @@ class LoggedLoginView(auth_views.LoginView):
         ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
         if request.user.is_authenticated:
             logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
-            ret.set_cookie('userLoggedIn', 'true')
+            ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
             ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
 
             return ret
@@ -107,7 +107,7 @@ class LoggedLogoutView(auth_views.LogoutView):
         original_user = getattr(request, 'user', None)
         ret = super(LoggedLogoutView, self).dispatch(request, *args, **kwargs)
         current_user = getattr(request, 'user', None)
-        ret.set_cookie('userLoggedIn', 'false')
+        ret.set_cookie('userLoggedIn', 'false', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
         if (not current_user or not getattr(current_user, 'pk', True)) and current_user != original_user:
             logger.info("User {} logged out.".format(original_user.username))
         return ret
diff --git a/awx/sso/views.py b/awx/sso/views.py
index c4ecdc7632..c23ee4428a 100644
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -38,7 +38,7 @@ class CompleteView(BaseRedirectView):
         response = super(CompleteView, self).dispatch(request, *args, **kwargs)
         if self.request.user and self.request.user.is_authenticated:
             logger.info(smart_str(u"User {} logged in".format(self.request.user.username)))
-            response.set_cookie('userLoggedIn', 'true')
+            response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
             response.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
         return response