Fixing cookie settings for CSRF and auth token

2026-01-14 19:30:39 -03:30 · 2017-07-25 10:11:11 -04:00 · 2017-07-25 10:11:11 -04:00 · f6d59409de
commit f6d59409de
parent 0cf376ca6f
2 changed files with 4 additions and 1 deletions
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@ -189,6 +189,9 @@ JOB_EVENT_MAX_QUEUE_SIZE = 10000
 # Disallow sending session cookies over insecure connections
 SESSION_COOKIE_SECURE = True

+# Do not allow non-browser clients to read the CSRF cookie.
+CSRF_COOKIE_HTTPONLY = True
+
 # Disallow sending csrf cookies over insecure connections
 CSRF_COOKIE_SECURE = True

--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@ -60,7 +60,7 @@ class CompleteView(BaseRedirectView):
                logger.info(smart_text(u"User {} logged in".format(self.request.user.username)))
            request.session['auth_token_key'] = token.key
            token_key = urllib.quote('"%s"' % token.key)
-            response.set_cookie('token', token_key)
+            response.set_cookie('token', value=token_key, httponly=True)
            token_expires = token.expires.astimezone(utc).strftime('%Y-%m-%dT%H:%M:%S')
            token_expires = '%s.%03dZ' % (token_expires, token.expires.microsecond / 1000)
            token_expires = urllib.quote('"%s"' % token_expires)