Skip to content

Commit

Permalink
👽 Reduce the session cookie security to Lax
Browse files Browse the repository at this point in the history 
Ideally we set this to Strict, but the session cookie is now not sent
during redirects from OIDC providers (like Google, Azure, Keycloak)
after succesful authentication, causing crashes on our end because
we don't have access to the OIDC state and therefore we have a broken
reference to the OIDC config model being used.

See mozilla/mozilla-django-oidc#497 for more
information - in summary the best solution would be to set it to Strict,
but temporarily reduce this to Lax during the OIDC flow (possibly via
middleware), which will require overriding some django.contrib.sessions
middleware.
  • Loading branch information
@sergei-maertens @bart-maykin
sergei-maertens authored and bart-maykin committed Sep 20, 2024
1 parent b320257 commit 7f9430c
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/woo_publications/conf/docker.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
os.environ.setdefault("CACHE_DEFAULT", "redis:6379/0")
os.environ.setdefault("CACHE_AXES", "redis:6379/0")

os.environ.setdefault("SESSION_COOKIE_SAMESITE", "Lax")

# # Strongly suggested to not use this, but explicitly list the allowed hosts. It is
# used to verify if a redirect is safe or not (open redirect vulnerabilities etc.)
# os.environ.setdefault("ALLOWED_HOSTS", "*")
Expand Down

0 comments on commit 7f9430c

Please sign in to comment.