From f6d59409def81c487c652a88dd8086fda7019d65 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Tue, 25 Jul 2017 10:11:11 -0400
Subject: [PATCH] Fixing cookie settings for CSRF and auth token

---
 awx/settings/defaults.py | 3 +++
 awx/sso/views.py         | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index d076e234ea..ec5f18ba43 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -189,6 +189,9 @@ JOB_EVENT_MAX_QUEUE_SIZE = 10000
 # Disallow sending session cookies over insecure connections
 SESSION_COOKIE_SECURE = True
 
+# Do not allow non-browser clients to read the CSRF cookie.
+CSRF_COOKIE_HTTPONLY = True
+
 # Disallow sending csrf cookies over insecure connections
 CSRF_COOKIE_SECURE = True
 
diff --git a/awx/sso/views.py b/awx/sso/views.py
index 80092a8040..84826a0bb0 100644
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -60,7 +60,7 @@ class CompleteView(BaseRedirectView):
                 logger.info(smart_text(u"User {} logged in".format(self.request.user.username)))
             request.session['auth_token_key'] = token.key
             token_key = urllib.quote('"%s"' % token.key)
-            response.set_cookie('token', token_key)
+            response.set_cookie('token', value=token_key, httponly=True)
             token_expires = token.expires.astimezone(utc).strftime('%Y-%m-%dT%H:%M:%S')
             token_expires = '%s.%03dZ' % (token_expires, token.expires.microsecond / 1000)
             token_expires = urllib.quote('"%s"' % token_expires)