Code

Opened 4 years ago

Closed 3 years ago

#14134 closed New feature (fixed)

Ability to set csrf cookie path and https-only plus add 'secure'

Reported by: cfattarsi@… Owned by: nobody
Component: Core (Other) Version: 1.2
Severity: Normal Keywords: csrf
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: yes
Easy pickings: UI/UX:

Description

This is useful if you have multiple Django instances running under the same hostname. The csrf cookies can use different cookie paths, and each instance will only see
its own csrf cookie. That text is taken almost directly from the SESSION_COOKIE_PATH documentation, it would be nice if csrf cookies worked the same way.

Attachments (1)

patch.diff (1.3 KB) - added by cfattarsi@… 4 years ago.
add CSRF_COOKIE_PATH option to settings.py

Download all attachments as: .zip

Change History (7)

Changed 4 years ago by cfattarsi@…

add CSRF_COOKIE_PATH option to settings.py

comment:1 Changed 4 years ago by SmileyChris

  • Component changed from Uncategorized to Core framework
  • Needs documentation set
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

comment:2 follow-up: Changed 4 years ago by mtredinnick

  • Patch needs improvement set
  • Summary changed from Ability to set csrf cookie path to Ability to set csrf cookie path and https-only
  • Triage Stage changed from Design decision needed to Accepted

Absolutely required. We also need CSRF_COOKIE_SECURE. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).

comment:3 in reply to: ↑ 2 Changed 3 years ago by grendel

  • Needs tests set
  • Summary changed from Ability to set csrf cookie path and https-only to Ability to set csrf cookie path and https-only plus add 'secure'

Replying to mtredinnick:

Absolutely required. We also need CSRF_COOKIE_SECURE. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).

I have modified my local copy of Django to add the CSRF_COOKIE_SECURE feature.

Simply added in settings.py:

CSRF_COOKIE_SECURE = True

And in django/middleware/csrf.py

# Set the CSRF cookie even if it's already set, so we renew the expiry timer.
        response.set_cookie(settings.CSRF_COOKIE_NAME,
                request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52,
                domain=settings.CSRF_COOKIE_DOMAIN,secure=settings.CSRF_COOKIE_SECURE)

Not much to it really and now my cookies are set as secure just like the Session cookie

Last edited 3 years ago by lukeplant (previous) (diff)

comment:4 Changed 3 years ago by lukeplant

  • Severity set to Normal
  • Type set to New feature

comment:5 Changed 3 years ago by lukeplant

#15808 was a dupe

comment:6 Changed 3 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

In [16200]:

Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie

Thanks to cfattarsi for the report and initial patch.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.