Set the Secure flag on CSRF and Session cookies when HTTPS is used.

Review Request #11652 — Created June 8, 2021 and submitted — Latest diff uploaded

Information

Review Board
release-3.0.x

Reviewers

CSRF and Session cookies really need to be set as Secure when on HTTPS.
We weren't doing this before, and while it worked fine in browsers, it
won't for very long. In paricular, browsers are getting more strict with
SameSite on HTTP-only cookies on an HTTPS connection, and this can
prevent people from logging in or resetting passwords.

This change ensures we set the right flags to enable HTTPS cookies when
on HTTPS mode. Unit tests were added to make sure that any cookies set
after changing the setting had the right state.

Unit tests pass.

Commits

Files

    Loading...