External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-20 18:37:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Fixing cookie settings for CSRF and auth token

Browse Source
This commit is contained in:
Wayne Witzel III
2017-07-25 10:11:11 -04:00
parent 0cf376ca6f
commit f6d59409de
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
awx/settings/defaults.py
View File

@@ -189,6 +189,9 @@ JOB_EVENT_MAX_QUEUE_SIZE = 10000
# Disallow sending session cookies over insecure connections # Disallow sending session cookies over insecure connections
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True
# Do not allow non-browser clients to read the CSRF cookie.
CSRF_COOKIE_HTTPONLY = True
# Disallow sending csrf cookies over insecure connections # Disallow sending csrf cookies over insecure connections
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True

2
awx/sso/views.py
View File

@@ -60,7 +60,7 @@ class CompleteView(BaseRedirectView):
logger.info(smart_text(u"User {} logged in".format(self.request.user.username))) logger.info(smart_text(u"User {} logged in".format(self.request.user.username)))
request.session['auth_token_key'] = token.key request.session['auth_token_key'] = token.key
token_key = urllib.quote('"%s"' % token.key) token_key = urllib.quote('"%s"' % token.key)
response.set_cookie('token', token_key) response.set_cookie('token', value=token_key, httponly=True)
token_expires = token.expires.astimezone(utc).strftime('%Y-%m-%dT%H:%M:%S') token_expires = token.expires.astimezone(utc).strftime('%Y-%m-%dT%H:%M:%S')
token_expires = '%s.%03dZ' % (token_expires, token.expires.microsecond / 1000) token_expires = '%s.%03dZ' % (token_expires, token.expires.microsecond / 1000)
token_expires = urllib.quote('"%s"' % token_expires) token_expires = urllib.quote('"%s"' % token_expires)