From 898cfe8212a5940dba6552196ddd243f912b5942 Mon Sep 17 00:00:00 2001 From: Tomas Jelinek Date: Tue, 11 Feb 2020 10:18:33 +0100 Subject: [PATCH 5/7] daemon: fix cookie options --- pcs/daemon/app/session.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pcs/daemon/app/session.py b/pcs/daemon/app/session.py index b4d29add..dcbb4c23 100644 --- a/pcs/daemon/app/session.py +++ b/pcs/daemon/app/session.py @@ -4,10 +4,16 @@ from pcs.daemon.auth import check_user_groups, authorize_user PCSD_SESSION = "pcsd.sid" class Mixin: - __session = None """ Mixin for tornado.web.RequestHandler """ + + __session = None + __cookie_options = { + "secure": True, + "httponly": True, + } + def initialize(self, session_storage: Storage): self.__storage = session_storage @@ -63,7 +69,7 @@ class Mixin: """ Write the session id into a response cookie. """ - self.set_cookie(PCSD_SESSION, self.session.sid) + self.set_cookie(PCSD_SESSION, self.session.sid, **self.__cookie_options) def put_request_cookies_sid_to_response_cookies_sid(self): """ @@ -73,7 +79,9 @@ class Mixin: #TODO this method should exist temporarily (for sinatra compatibility) #pylint: disable=invalid-name if self.__sid_from_client is not None: - self.set_cookie(PCSD_SESSION, self.__sid_from_client) + self.set_cookie( + PCSD_SESSION, self.__sid_from_client, **self.__cookie_options + ) def was_sid_in_request_cookies(self): return self.__sid_from_client is not None -- 2.21.1