nav icon indicating copy to clipboard operation
nav copied to clipboard

Published 20 hours ago verified publisher icon Uninett

[BUG] Use secure session cookies

Open lunkwill42 opened this issue 4 years ago • 0 comments

Describe the bug

NAV doesn't employ the Secure attribute on its session cookie. Whenever NAV is configured to be served over HTTPS, this should be part of the cookie.

This would normally be accomplished by setting SESSION_COOKIE_SECURE = True in the site settings. However, ATM, the NAV code base doesn't sufficiently support differentiating between development settings and production settings. In most development environments, NAV will NOT be served over HTTPS, only HTTP. Also, some users might, for some strange reason, opt to serve NAV on a non-SSL site also in production (in most common configurations, this is set up entirely outside of NAV, in the web server config).

Because of these considerations, a new option for this might actually be needed in etc/webfront/webfront.conf, so the user can control the option.

Environment (please complete the following information):

  • NAV version installed: 5.0.6

lunkwill42 avatar Oct 12 '20 09:10 lunkwill42