Opened 6 years ago

Closed 6 years ago

#14134 closed New feature (fixed)

Ability to set csrf cookie path and https-only plus add 'secure'

Reported by: cfattarsi@… Owned by: nobody
Component: Core (Other) Version: 1.2
Severity: Normal Keywords: csrf
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: yes
Easy pickings: UI/UX:

Description

This is useful if you have multiple Django instances running under the same hostname. The csrf cookies can use different cookie paths, and each instance will only see
its own csrf cookie. That text is taken almost directly from the SESSION_COOKIE_PATH documentation, it would be nice if csrf cookies worked the same way.

Attachments (1)

patch.diff (1.3 KB) - added by cfattarsi@… 6 years ago.
add CSRF_COOKIE_PATH option to settings.py

Download all attachments as: .zip

Change History (7)

Changed 6 years ago by cfattarsi@…

Attachment: patch.diff added

add CSRF_COOKIE_PATH option to settings.py

comment:1 Changed 6 years ago by Chris Beaven

Component: UncategorizedCore framework
Needs documentation: set
Triage Stage: UnreviewedDesign decision needed

comment:2 Changed 6 years ago by Malcolm Tredinnick

Patch needs improvement: set
Summary: Ability to set csrf cookie pathAbility to set csrf cookie path and https-only
Triage Stage: Design decision neededAccepted

Absolutely required. We also need CSRF_COOKIE_SECURE. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).

comment:3 in reply to:  2 Changed 6 years ago by grendel

Needs tests: set
Summary: Ability to set csrf cookie path and https-onlyAbility to set csrf cookie path and https-only plus add 'secure'

Replying to mtredinnick:

Absolutely required. We also need CSRF_COOKIE_SECURE. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).

I have modified my local copy of Django to add the CSRF_COOKIE_SECURE feature.

Simply added in settings.py:

CSRF_COOKIE_SECURE = True

And in django/middleware/csrf.py

# Set the CSRF cookie even if it's already set, so we renew the expiry timer.
        response.set_cookie(settings.CSRF_COOKIE_NAME,
                request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52,
                domain=settings.CSRF_COOKIE_DOMAIN,secure=settings.CSRF_COOKIE_SECURE)

Not much to it really and now my cookies are set as secure just like the Session cookie

Last edited 6 years ago by Luke Plant (previous) (diff)

comment:4 Changed 6 years ago by Luke Plant

Severity: Normal
Type: New feature

comment:5 Changed 6 years ago by Luke Plant

#15808 was a dupe

comment:6 Changed 6 years ago by Luke Plant

Resolution: fixed
Status: newclosed

In [16200]:

Fixed #14134 - ability to set cookie 'path' and 'secure' attributes of CSRF cookie

Thanks to cfattarsi for the report and initial patch.

Note: See TracTickets for help on using tickets.
Back to Top