Merge pull request #10734 from Thunderbottom/cookie-stonks
fix: make cookies more secure
This commit is contained in:
mergify[bot]
GitHub
commit
04516c8dd9
5 changed files with 20 additions and 30 deletions
|
|
@ -333,12 +333,20 @@ class CookieManager:
|
|||
# sid expires in 3 days
|
||||
expires = datetime.datetime.now() + datetime.timedelta(days=3)
|
||||
if frappe.session.sid:
|
||||
self.cookies["sid"] = {"value": frappe.session.sid, "expires": expires}
|
||||
self.set_cookie("sid", frappe.session.sid, expires=expires, httponly=True)
|
||||
if frappe.session.session_country:
|
||||
self.cookies["country"] = {"value": frappe.session.get("session_country")}
|
||||
self.set_cookie("country", frappe.session.session_country)
|
||||
|
||||
def set_cookie(self, key, value, expires=None):
|
||||
self.cookies[key] = {"value": value, "expires": expires}
|
||||
def set_cookie(self, key, value, expires=None, secure=False, httponly=False, samesite="Strict"):
|
||||
if not secure:
|
||||
secure = frappe.local.request.scheme == "https"
|
||||
self.cookies[key] = {
|
||||
"value": value,
|
||||
"expires": expires,
|
||||
"secure": secure,
|
||||
"httponly": httponly,
|
||||
"samesite": samesite
|
||||
}
|
||||
|
||||
def delete_cookie(self, to_delete):
|
||||
if not isinstance(to_delete, (list, tuple)):
|
||||
|
|
@ -349,7 +357,10 @@ class CookieManager:
|
|||
def flush_cookies(self, response):
|
||||
for key, opts in self.cookies.items():
|
||||
response.set_cookie(key, quote((opts.get("value") or "").encode('utf-8')),
|
||||
expires=opts.get("expires"))
|
||||
expires=opts.get("expires"),
|
||||
secure=opts.get("secure"),
|
||||
httponly=opts.get("httponly"),
|
||||
samesite=opts.get("samesite"))
|
||||
|
||||
# expires yesterday!
|
||||
expires = datetime.datetime.now() + datetime.timedelta(days=-1)
|
||||
|
|
|
|||
|
|
@ -101,15 +101,6 @@ frappe.Application = Class.extend({
|
|||
frappe.ui.startup_setup_dialog.show();
|
||||
}
|
||||
|
||||
// listen to csrf_update
|
||||
frappe.realtime.on("csrf_generated", function(data) {
|
||||
// handles the case when a user logs in again from another tab
|
||||
// and it leads to invalid request in the current tab
|
||||
if (data.csrf_token && data.sid===frappe.get_cookie("sid")) {
|
||||
frappe.csrf_token = data.csrf_token;
|
||||
}
|
||||
});
|
||||
|
||||
frappe.realtime.on("version-update", function() {
|
||||
var dialog = frappe.msgprint({
|
||||
message:__("The application has been updated to a new version, please refresh this page"),
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ frappe.request.call = function(opts) {
|
|||
message: __('The resource you are looking for is not available')});
|
||||
},
|
||||
403: function(xhr) {
|
||||
if (frappe.get_cookie('sid')==='Guest') {
|
||||
if (frappe.session.user === 'Guest') {
|
||||
// session expired
|
||||
frappe.app.handle_session_expired();
|
||||
}
|
||||
|
|
@ -321,7 +321,7 @@ frappe.request.cleanup = function(opts, r) {
|
|||
if(r) {
|
||||
|
||||
// session expired? - Guest has no business here!
|
||||
if(r.session_expired || frappe.get_cookie("sid")==="Guest") {
|
||||
if (r.session_expired || frappe.session.user === "Guest") {
|
||||
frappe.app.handle_session_expired();
|
||||
return;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -172,13 +172,6 @@ def generate_csrf_token():
|
|||
frappe.local.session.data.csrf_token = frappe.generate_hash()
|
||||
frappe.local.session_obj.update(force=True)
|
||||
|
||||
# send sid and csrf token to the user
|
||||
# handles the case when a user logs in again from another tab
|
||||
# and it leads to invalid request in the current tab
|
||||
frappe.publish_realtime(event="csrf_generated",
|
||||
message={"sid": frappe.local.session.sid, "csrf_token": frappe.local.session.data.csrf_token},
|
||||
user=frappe.session.user, after_commit=True)
|
||||
|
||||
class Session:
|
||||
def __init__(self, user, resume=False, full_name=None, user_type=None):
|
||||
self.sid = cstr(frappe.form_dict.get('sid') or
|
||||
|
|
|
|||
|
|
@ -183,10 +183,6 @@ $.extend(frappe, {
|
|||
.html('<div class="content"><i class="'+icon+' text-muted"></i><br>'
|
||||
+text+'</div>').appendTo(document.body);
|
||||
},
|
||||
get_sid: function() {
|
||||
var sid = frappe.get_cookie("sid");
|
||||
return sid && sid !== "Guest";
|
||||
},
|
||||
send_message: function(opts, btn) {
|
||||
return frappe.call({
|
||||
type: "POST",
|
||||
|
|
@ -212,8 +208,7 @@ $.extend(frappe, {
|
|||
});
|
||||
},
|
||||
render_user: function() {
|
||||
var sid = frappe.get_cookie("sid");
|
||||
if(sid && sid!=="Guest") {
|
||||
if (frappe.is_user_logged_in()) {
|
||||
$(".btn-login-area").toggle(false);
|
||||
$(".logged-in").toggle(true);
|
||||
$(".full-name").html(frappe.get_cookie("full_name"));
|
||||
|
|
@ -323,7 +318,7 @@ $.extend(frappe, {
|
|||
return $(".navbar .search, .sidebar .search");
|
||||
},
|
||||
is_user_logged_in: function() {
|
||||
return frappe.get_cookie("sid") && frappe.get_cookie("sid") !== "Guest";
|
||||
return frappe.get_cookie("user_id") !== "Guest" && frappe.session.user !== "Guest";
|
||||
},
|
||||
add_switch_to_desk: function() {
|
||||
$('.switch-to-desk').removeClass('hidden');
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue