Merge PR #3298 of Pylons/pyramid into feature/session-samesite-lax

3 files changed, 23 insertions, 4 deletions

diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index 60e4e5732..69ed023b0 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -319,4 +319,6 @@ Contributors
 
 - Hunter Senft-Grupp, 2018/05/14
 
-- Junhak Lee, 2018/05/14
\ No newline at end of file
+- Junhak Lee, 2018/05/14
+
+- Alex Gaynor, 2018/05/24
diff --git a/pyramid/session.py b/pyramid/session.py
index 4a9c8c100..25ed29878 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -135,6 +135,7 @@ def BaseCookieSessionFactory(
     domain=None,
     secure=False,
     httponly=False,
+    samesite=b'Lax',
     timeout=1200,
     reissue_time=0,
     set_on_exception=True,
@@ -187,6 +188,9 @@ def BaseCookieSessionFactory(
       Hide the cookie from Javascript by setting the 'HttpOnly' flag of the
       session cookie. Default: ``False``.
 
+    ``samesite``
+      The 'samesite' option of the session cookie. Default ``b'Lax'``.
+
     ``timeout``
       A number of seconds of inactivity before a session times out. If
       ``None`` then the cookie never expires. This lifetime only applies
@@ -229,6 +233,7 @@ def BaseCookieSessionFactory(
         _cookie_domain = domain
         _cookie_secure = secure
         _cookie_httponly = httponly
+        _cookie_samesite = samesite
         _cookie_on_exception = set_on_exception
         _timeout = timeout if timeout is None else int(timeout)
         _reissue_time = reissue_time if reissue_time is None else int(reissue_time)
@@ -367,6 +372,7 @@ def BaseCookieSessionFactory(
                 domain=self._cookie_domain,
                 secure=self._cookie_secure,
                 httponly=self._cookie_httponly,
+                samesite=self._cookie_samesite,
                 )
             return True
 
@@ -382,6 +388,7 @@ def UnencryptedCookieSessionFactoryConfig(
     cookie_domain=None,
     cookie_secure=False,
     cookie_httponly=False,
+    cookie_samesite=b'Lax',
     cookie_on_exception=True,
     signed_serialize=signed_serialize,
     signed_deserialize=signed_deserialize,
@@ -434,6 +441,9 @@ def UnencryptedCookieSessionFactoryConfig(
     ``cookie_httponly``
       The 'httpOnly' flag of the session cookie.
 
+    ``cookie_samesite``
+      The 'samesite' option of the session cookie.  Default: ``b'Lax'``.
+
     ``cookie_on_exception``
       If ``True``, set a session cookie even if an exception occurs
       while rendering a view.
@@ -469,6 +479,7 @@ def UnencryptedCookieSessionFactoryConfig(
         domain=cookie_domain,
         secure=cookie_secure,
         httponly=cookie_httponly,
+        samesite=cookie_samesite,
         timeout=timeout,
         reissue_time=0, # to keep session.accessed == session.renewed
         set_on_exception=cookie_on_exception,
@@ -491,6 +502,7 @@ def SignedCookieSessionFactory(
     domain=None,
     secure=False,
     httponly=False,
+    samesite=b'Lax',
     set_on_exception=True,
     timeout=1200,
     reissue_time=0,
@@ -553,6 +565,9 @@ def SignedCookieSessionFactory(
       Hide the cookie from Javascript by setting the 'HttpOnly' flag of the
       session cookie. Default: ``False``.
 
+    ``samesite``
+      The 'samesite' option of the session cookie.  Default: ``b'Lax'``.
+
     ``timeout``
       A number of seconds of inactivity before a session times out. If
       ``None`` then the cookie never expires. This lifetime only applies
@@ -608,6 +623,7 @@ def SignedCookieSessionFactory(
         domain=domain,
         secure=secure,
         httponly=httponly,
+        samesite=samesite,
         timeout=timeout,
         reissue_time=reissue_time,
         set_on_exception=set_on_exception,
diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py
index ade602799..3dd82b5f3 100644
--- a/pyramid/tests/test_session.py
+++ b/pyramid/tests/test_session.py
@@ -145,13 +145,14 @@ class SharedCookieSessionTests(object):
         response = Response()
         self.assertEqual(session._set_cookie(response), True)
         cookieval = response.headerlist[-1][1]
-        val, domain, path, secure, httponly = [x.strip() for x in
-                                               cookieval.split(';')]
+        val, domain, path, secure, httponly, samesite = [x.strip() for x in
+                                                         cookieval.split(';')]
         self.assertTrue(val.startswith('abc='))
         self.assertEqual(domain, 'Domain=localhost')
         self.assertEqual(path, 'Path=/foo')
         self.assertEqual(secure, 'secure')
         self.assertEqual(httponly, 'HttpOnly')
+        self.assertEqual(samesite, 'SameSite=Lax')
 
     def test_flash_default(self):
         request = testing.DummyRequest()
@@ -503,7 +504,7 @@ class TestUnencryptedCookieSession(SharedCookieSessionTests, unittest.TestCase):
         expected_cookieval = dummy_signed_serialize(
             (session.accessed, session.created, {'key': 'value'}), secret)
         response = Response()
-        response.set_cookie('session', expected_cookieval)
+        response.set_cookie('session', expected_cookieval, samesite=b'Lax')
         expected_cookie = response.headerlist[-1][1]
         self.assertEqual(cookie, expected_cookie)