From 477da1fa656def26f58daf11b3906377c9653a8e Mon Sep 17 00:00:00 2001 From: Oliver Date: Mon, 29 Apr 2024 20:49:35 +1000 Subject: [PATCH] Session cookie fix (#7133) * Make session cookie insecure by default * Update docs --- docs/docs/start/config.md | 1 + src/backend/InvenTree/InvenTree/settings.py | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 56d8f06347..6f76b2bccc 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -100,6 +100,7 @@ Depending on how your InvenTree installation is configured, you will need to pay | INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False | | INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False | | INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True | +| INVENTREE_SESSION_COOKIE_SECURE | session_cookie_secure | Enforce secure session cookies | False | ### Proxy Settings diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 8a78d083de..88d5af6ecb 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1110,8 +1110,10 @@ if ( CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_SAMESITE = 'Lax' -SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = 'Lax' +SESSION_COOKIE_SECURE = get_boolean_setting( + 'INVENTREE_SESSION_COOKIE_SECURE', 'session_cookie_secure', False +) USE_X_FORWARDED_HOST = get_boolean_setting( 'INVENTREE_USE_X_FORWARDED_HOST',