Set the Secure flag on CSRF and Session cookies when HTTPS is used.

Review Request #11652 — Created June 8, 2021 and submitted

Information

Review Board
release-3.0.x

Reviewers

CSRF and Session cookies really need to be set as Secure when on HTTPS.
We weren't doing this before, and while it worked fine in browsers, it
won't for very long. In paricular, browsers are getting more strict with
SameSite on HTTP-only cookies on an HTTPS connection, and this can
prevent people from logging in or resetting passwords.

This change ensures we set the right flags to enable HTTPS cookies when
on HTTPS mode. Unit tests were added to make sure that any cookies set
after changing the setting had the right state.

Unit tests pass.

Summary ID
Set the Secure flag on CSRF and Session cookies when HTTPS is used.
CSRF and Session cookies really need to be set as Secure when on HTTPS. We weren't doing this before, and while it worked fine in browsers, it won't for very long. In paricular, browsers are getting more strict with `SameSite` on HTTP-only cookies on an HTTPS connection, and this can prevent people from logging in or resetting passwords. This change ensures we set the right flags to enable HTTPS cookies when on HTTPS mode. Unit tests were added to make sure that any cookies set after changing the setting had the right state.
2c691a72a708c6c93f5bb7c0a11754c40270ce96
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-3.0.x (ee8c391)