Add support for setting SameSite and Secure attribute for auth cookie we set#5248
Add support for setting SameSite and Secure attribute for auth cookie we set#5248
Conversation
"auth-token" cookie we set when authentication against st2api from st2web. For backward compatibility reasons it defaults to none.
|
I noticed we also don't set I will also add an option for that and default it to True since it's a best security practice. In case someone doesn't run StackStorm over https (bad idea), they will need to set it to False. I will open st2docs upgrade notes entry which documents how to do that. Also keep in mind that this cookie is pretty much only used when logging via token / api key in query parameters (which pretty much only means st2web for our official stuff). |
cookie we set and default it to True for security reasons. Also default SameSite attribute to Lax.
This reverts commit dde0617.
affected config options.
|
|
confusion between none and None.
|
@cognifloyd I pushed a change which renames Hopefully CI and tests will pass since my local dev environment is totally toast and I don't have multiple hours to spend to try to fix it at this point. |
cognifloyd
left a comment
There was a problem hiding this comment.
Awesome. I'm not merging right now since we're in code freeze for the 3.6 release.
|
Now that v3.6.0 merge freeze is over, I will go ahead and merge it into master. |
This pull request includes a small "security hardening" change.
It allows operator to configure value for
SameSiteattribute (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, https://web.dev/samesite-cookies-explained/) which is set with theauth-tokencookie we set in some situations (e.g. when authenticating via st2web and similar).The value defaults to
Laxwhich should work as a good secure default (defining it to Strict may break some in some situations, see the link above).TODO