issue2551370 - prefix session cookie with __Secure- over https

rouilj · rouilj · commit e5daacfbbd8d · 2024-11-26T17:11:13.000-05:00
Limit use of roundup session cookie to HTTPS protocol by adding
__Secure- prefix. Automatic testing includes http behavior only.
Https behavious has been manually tested only. Need to be able to spin
up an https server using wsgiref to test https behavior in CI.
issue 2551373 opened to track automatic testing of https behavior.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -45,6 +45,8 @@ Features:
   one-by-one (using the check function) but instead offload the
   permission checks to the database. For SQL backends this performs the
   filtering in the database.  (Ralf Schlatterbeck)
+- issue2551370 - mark roundup session cookie with __Secure-
+  prefix. (John Rouillard)
 
 2024-07-13 2.4.0
 
diff --git a/doc/upgrading.txt b/doc/upgrading.txt
@@ -133,6 +133,21 @@ to::
 at the top of both files. The icing macro used in other tracker
 templates was renamed to frame in this tracker template.
 
+More secure session cookie handling (info)
+------------------------------------------
+
+This affects you if you are accessing a tracker via https.  The name
+for the cookie that you get when logging into the web interface has a
+new name. When upgrading to Roundup 2.5 all users will have to to log
+in again. The cookie now has a ``__Secure-`` prefix to prevent it
+from being exposed/used over http.
+
+If your tracker is using the unencrypted http protocol, nothing has
+changed.
+
+See
+https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes
+for details on this security measure.
 
 
 .. index:: Upgrading; 2.3.0 to 2.4.0
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -190,8 +190,12 @@ def __init__(self, client):
         self.session_db = client.db.getSessionManager()
 
         # parse cookies for session id
-        self.cookie_name = 'roundup_session_%s' % \
-            re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME)
+        if self.client.secure:
+            cookie_template = '__Secure-roundup_session_%s'
+        else:
+            cookie_template = 'roundup_session_%s'
+        self.cookie_name = cookie_template % \
+                re.sub('[^a-zA-Z]', '', client.instance.config.TRACKER_NAME)
         cookies = LiberalCookie(client.env.get('HTTP_COOKIE', ''))
         if self.cookie_name in cookies:
             try:
diff --git a/test/test_liveserver.py b/test/test_liveserver.py
@@ -176,6 +176,18 @@ def create_login_session(self, username="admin", password="sekrit",
             return session
         return session, response
 
+    def test_cookie_attributes(self):
+        session, _response = self.create_login_session()
+
+        cookie_box = session.cookies._cookies['localhost.local']['/']
+        cookie = cookie_box['roundup_session_Roundupissuetracker']
+
+        # check cookie attributes. This is an http session, so
+        # we can't check secure or see cookie with __Secure- prefix 8-(.
+        self.assertEqual(cookie.name, 'roundup_session_Roundupissuetracker')
+        self.assertEqual(cookie.expires, None)  # session cookie
+        self.assertEqual(cookie._rest['HttpOnly'], None)  # flag is present
+        self.assertEqual(cookie._rest['SameSite'], 'Lax')
 
     def test_query(self):
         current_user_query = (
