Summary

Set the Secure flag on CSRF and Session cookies when HTTPS is used.

Review Request #11652 — Created June 8, 2021 and submitted June 9, 2021, 1:03 a.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-3.0.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

This change ensures we set the right flags to enable HTTPS cookies when
on HTTPS mode. Unit tests were added to make sure that any cookies set
after changing the setting had the right state.

Testing Done

Unit tests pass.

Commits

Summary	ID
Set the Secure flag on CSRF and Session cookies when HTTPS is used. CSRF and Session cookies really need to be set as Secure when on HTTPS. We weren't doing this before, and while it worked fine in browsers, it won't for very long. In paricular, browsers are getting more strict with `SameSite` on HTTP-only cookies on an HTTPS connection, and this can prevent people from logging in or resetting passwords. This change ensures we set the right flags to enable HTTPS cookies when on HTTPS mode. Unit tests were added to make sure that any cookies set after changing the setting had the right state.	2c691a72a708c6c93f5bb7c0a11754c40270ce96

Summary

Set the Secure flag on CSRF and Session cookies when HTTPS is used.

CSRF and Session cookies really need to be set as Secure when on HTTPS. We weren't doing this before, and while it worked fine in browsers, it won't for very long. In paricular, browsers are getting more strict with `SameSite` on HTTP-only cookies on an HTTPS connection, and this can prevent people from logging in or resetting passwords. This change ensures we set the right flags to enable HTTPS cookies when on HTTPS mode. Unit tests were added to make sure that any cookies set after changing the setting had the right state.

2c691a72a708c6c93f5bb7c0a11754c40270ce96

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-3.0.x (ee8c391)