From 2d9390fd73fee560a72d600f846befcb9e140ad0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 May 2018 18:33:29 -0400 Subject: Set the samesite flag to Lax by default on session cookies Also make it possible to set it to other values --- pyramid/session.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pyramid/session.py b/pyramid/session.py index 4a9c8c100..70af99085 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -135,6 +135,7 @@ def BaseCookieSessionFactory( domain=None, secure=False, httponly=False, + samesite='Lax', timeout=1200, reissue_time=0, set_on_exception=True, @@ -187,6 +188,9 @@ def BaseCookieSessionFactory( Hide the cookie from Javascript by setting the 'HttpOnly' flag of the session cookie. Default: ``False``. + ``samesite`` + The 'samesite' option of the session cookie. Default ``'Lax'``. + ``timeout`` A number of seconds of inactivity before a session times out. If ``None`` then the cookie never expires. This lifetime only applies @@ -229,6 +233,7 @@ def BaseCookieSessionFactory( _cookie_domain = domain _cookie_secure = secure _cookie_httponly = httponly + _cookie_samesite = samesite _cookie_on_exception = set_on_exception _timeout = timeout if timeout is None else int(timeout) _reissue_time = reissue_time if reissue_time is None else int(reissue_time) @@ -367,6 +372,7 @@ def BaseCookieSessionFactory( domain=self._cookie_domain, secure=self._cookie_secure, httponly=self._cookie_httponly, + samesite=self._cookie_samesite, ) return True @@ -382,6 +388,7 @@ def UnencryptedCookieSessionFactoryConfig( cookie_domain=None, cookie_secure=False, cookie_httponly=False, + cookie_samesite='Lax', cookie_on_exception=True, signed_serialize=signed_serialize, signed_deserialize=signed_deserialize, @@ -434,6 +441,9 @@ def UnencryptedCookieSessionFactoryConfig( ``cookie_httponly`` The 'httpOnly' flag of the session cookie. + ``cookie_samesite`` + The 'samesite' option of the session cookie. Default: ``'Lax'``. + ``cookie_on_exception`` If ``True``, set a session cookie even if an exception occurs while rendering a view. @@ -469,6 +479,7 @@ def UnencryptedCookieSessionFactoryConfig( domain=cookie_domain, secure=cookie_secure, httponly=cookie_httponly, + samesite=cookie_samesite, timeout=timeout, reissue_time=0, # to keep session.accessed == session.renewed set_on_exception=cookie_on_exception, @@ -491,6 +502,7 @@ def SignedCookieSessionFactory( domain=None, secure=False, httponly=False, + samesite='Lax', set_on_exception=True, timeout=1200, reissue_time=0, @@ -553,6 +565,9 @@ def SignedCookieSessionFactory( Hide the cookie from Javascript by setting the 'HttpOnly' flag of the session cookie. Default: ``False``. + ``samesite`` + The 'samesite' option of the session cookie. Default: ``'Lax'``. + ``timeout`` A number of seconds of inactivity before a session times out. If ``None`` then the cookie never expires. This lifetime only applies @@ -608,6 +623,7 @@ def SignedCookieSessionFactory( domain=domain, secure=secure, httponly=httponly, + samesite=samesite, timeout=timeout, reissue_time=reissue_time, set_on_exception=set_on_exception, -- cgit v1.2.3 From 3d3deebb926a2b7e3f1c1f25fb207858e9677d29 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 May 2018 18:40:23 -0400 Subject: fix tests --- pyramid/tests/test_session.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index ade602799..e3d819944 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -145,13 +145,14 @@ class SharedCookieSessionTests(object): response = Response() self.assertEqual(session._set_cookie(response), True) cookieval = response.headerlist[-1][1] - val, domain, path, secure, httponly = [x.strip() for x in - cookieval.split(';')] + val, domain, path, secure, httponly, samesite = [x.strip() for x in + cookieval.split(';')] self.assertTrue(val.startswith('abc=')) self.assertEqual(domain, 'Domain=localhost') self.assertEqual(path, 'Path=/foo') self.assertEqual(secure, 'secure') self.assertEqual(httponly, 'HttpOnly') + self.assertEqual(samesite, 'SameSite=Lax') def test_flash_default(self): request = testing.DummyRequest() @@ -503,7 +504,7 @@ class TestUnencryptedCookieSession(SharedCookieSessionTests, unittest.TestCase): expected_cookieval = dummy_signed_serialize( (session.accessed, session.created, {'key': 'value'}), secret) response = Response() - response.set_cookie('session', expected_cookieval) + response.set_cookie('session', expected_cookieval, samesite='Lax') expected_cookie = response.headerlist[-1][1] self.assertEqual(cookie, expected_cookie) -- cgit v1.2.3 From bd1cfa871d2abf006a1ab8ae606f7eaf0663a170 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 May 2018 18:44:02 -0400 Subject: python 3 fix --- pyramid/session.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pyramid/session.py b/pyramid/session.py index 70af99085..25ed29878 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -135,7 +135,7 @@ def BaseCookieSessionFactory( domain=None, secure=False, httponly=False, - samesite='Lax', + samesite=b'Lax', timeout=1200, reissue_time=0, set_on_exception=True, @@ -189,7 +189,7 @@ def BaseCookieSessionFactory( session cookie. Default: ``False``. ``samesite`` - The 'samesite' option of the session cookie. Default ``'Lax'``. + The 'samesite' option of the session cookie. Default ``b'Lax'``. ``timeout`` A number of seconds of inactivity before a session times out. If @@ -388,7 +388,7 @@ def UnencryptedCookieSessionFactoryConfig( cookie_domain=None, cookie_secure=False, cookie_httponly=False, - cookie_samesite='Lax', + cookie_samesite=b'Lax', cookie_on_exception=True, signed_serialize=signed_serialize, signed_deserialize=signed_deserialize, @@ -442,7 +442,7 @@ def UnencryptedCookieSessionFactoryConfig( The 'httpOnly' flag of the session cookie. ``cookie_samesite`` - The 'samesite' option of the session cookie. Default: ``'Lax'``. + The 'samesite' option of the session cookie. Default: ``b'Lax'``. ``cookie_on_exception`` If ``True``, set a session cookie even if an exception occurs @@ -502,7 +502,7 @@ def SignedCookieSessionFactory( domain=None, secure=False, httponly=False, - samesite='Lax', + samesite=b'Lax', set_on_exception=True, timeout=1200, reissue_time=0, @@ -566,7 +566,7 @@ def SignedCookieSessionFactory( session cookie. Default: ``False``. ``samesite`` - The 'samesite' option of the session cookie. Default: ``'Lax'``. + The 'samesite' option of the session cookie. Default: ``b'Lax'``. ``timeout`` A number of seconds of inactivity before a session times out. If -- cgit v1.2.3 From bc8728ae183f04fd0ce7e261fb7731a61163ebbe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 May 2018 18:45:51 -0400 Subject: oops, py3 here too --- pyramid/tests/test_session.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index e3d819944..3dd82b5f3 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -504,7 +504,7 @@ class TestUnencryptedCookieSession(SharedCookieSessionTests, unittest.TestCase): expected_cookieval = dummy_signed_serialize( (session.accessed, session.created, {'key': 'value'}), secret) response = Response() - response.set_cookie('session', expected_cookieval, samesite='Lax') + response.set_cookie('session', expected_cookieval, samesite=b'Lax') expected_cookie = response.headerlist[-1][1] self.assertEqual(cookie, expected_cookie) -- cgit v1.2.3 From 2c5e19954f252cbdb30842140d45df33b1dbe62b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 May 2018 19:26:14 -0400 Subject: Sign CONTRIBUTORS.txt --- CONTRIBUTORS.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index 60e4e5732..69ed023b0 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -319,4 +319,6 @@ Contributors - Hunter Senft-Grupp, 2018/05/14 -- Junhak Lee, 2018/05/14 \ No newline at end of file +- Junhak Lee, 2018/05/14 + +- Alex Gaynor, 2018/05/24 -- cgit v1.2.3