From 66de1dcec88f6a961a4a5d792045be8bc8774347 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 15 Nov 2022 10:47:20 +0100 Subject: [PATCH] Change the logic The idea here is that if you have set SESSION_COOKIE_SECURE we should honor that... and if you haven't we should try to do the right thing. --- core/admin/mailu/configuration.py | 4 +++- core/admin/mailu/sso/views/base.py | 2 +- core/admin/mailu/utils.py | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index b941e95c..eb27aee0 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -73,7 +73,7 @@ DEFAULT_CONFIG = { 'SESSION_KEY_BITS': 128, 'SESSION_TIMEOUT': 3600, 'PERMANENT_SESSION_LIFETIME': 30*24*3600, - 'SESSION_COOKIE_SECURE': True, + 'SESSION_COOKIE_SECURE': False, 'CREDENTIAL_ROUNDS': 12, 'TLS_PERMISSIVE': True, 'TZ': 'Etc/UTC', @@ -156,6 +156,8 @@ class ConfigManager: self.config['SESSION_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/3' self.config['SESSION_COOKIE_SAMESITE'] = 'Strict' self.config['SESSION_COOKIE_HTTPONLY'] = True + if self.config['TLS_FLAVOR'] != 'notls' and not self.config['SESSION_COOKIE_SECURE']: + self.config['SESSION_COOKIE_SECURE'] = True self.config['SESSION_PERMANENT'] = True self.config['SESSION_TIMEOUT'] = int(self.config['SESSION_TIMEOUT']) self.config['PERMANENT_SESSION_LIFETIME'] = int(self.config['PERMANENT_SESSION_LIFETIME']) diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index a4218ac6..6fa9403f 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -39,7 +39,7 @@ def login(): flask.session.regenerate() flask_login.login_user(user) response = flask.redirect(destination) - response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=False if app.config['TLS_FLAVOR'] == 'notls' else app.config['SESSION_COOKIE_SECURE'], httponly=True) + response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=app.config['SESSION_COOKIE_SECURE'], httponly=True) flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip} pwned={form.pwned.data}.') if msg := utils.isBadOrPwned(form): flask.flash(msg, "error") diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py index a330a7d6..f160fe3f 100644 --- a/core/admin/mailu/utils.py +++ b/core/admin/mailu/utils.py @@ -408,7 +408,7 @@ class MailuSessionInterface(SessionInterface): httponly=self.get_cookie_httponly(app), domain=self.get_cookie_domain(app), path=self.get_cookie_path(app), - secure=False if app.config['TLS_FLAVOR'] == 'notls' else self.get_cookie_secure(app), + secure=self.get_cookie_secure(app), samesite=self.get_cookie_samesite(app) )