From 898cfe8212a5940dba6552196ddd243f912b5942 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 11 Feb 2020 10:18:33 +0100
Subject: [PATCH 5/7] daemon: fix cookie options
---
pcs/daemon/app/session.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/pcs/daemon/app/session.py b/pcs/daemon/app/session.py
index b4d29add..dcbb4c23 100644
--- a/pcs/daemon/app/session.py
+++ b/pcs/daemon/app/session.py
@@ -4,10 +4,16 @@ from pcs.daemon.auth import check_user_groups, authorize_user
PCSD_SESSION = "pcsd.sid"
class Mixin:
- __session = None
"""
Mixin for tornado.web.RequestHandler
"""
+
+ __session = None
+ __cookie_options = {
+ "secure": True,
+ "httponly": True,
+ }
+
def initialize(self, session_storage: Storage):
self.__storage = session_storage
@@ -63,7 +69,7 @@ class Mixin:
"""
Write the session id into a response cookie.
"""
- self.set_cookie(PCSD_SESSION, self.session.sid)
+ self.set_cookie(PCSD_SESSION, self.session.sid, **self.__cookie_options)
def put_request_cookies_sid_to_response_cookies_sid(self):
"""
@@ -73,7 +79,9 @@ class Mixin:
#TODO this method should exist temporarily (for sinatra compatibility)
#pylint: disable=invalid-name
if self.__sid_from_client is not None:
- self.set_cookie(PCSD_SESSION, self.__sid_from_client)
+ self.set_cookie(
+ PCSD_SESSION, self.__sid_from_client, **self.__cookie_options
+ )
def was_sid_in_request_cookies(self):
return self.__sid_from_client is not None
--
2.21.1