chg: [authentication] configure misp-dashboard cookie policy

2019-10-02 19:32:39 -04:00 · 2019-10-02 19:32:39 -04:00 · 07f68cb33f
parent bd5984faad
commit 07f68cb33f
2 changed files with 17 additions and 1 deletions
--- a/config/config.cfg.default
+++ b/config/config.cfg.default
@ -7,6 +7,12 @@ debug = False
 misp_fqdn = "https://misp.local"
 ssl_verify = True
 session_secret = **Change_Me**
+# Only send cookies with requests over HTTPS if the cookie is marked secure.
+session_cookie_secure = True
+# Prevent sending cookies in all external requests including regular links.
+session_cookie_samesite = Strict
+# Expire session cookie after n days.
+permanent_session_lifetime = 1

 [Dashboard]
 #hours
--- a/server.py
+++ b/server.py
@ -7,6 +7,7 @@ import logging
 import math
 import os
 import re
+from datetime import timedelta
 import random
 from time import gmtime as now
 from time import sleep, strftime
@ -36,9 +37,18 @@ server_debug = cfg.get("Server", "debug")
 auth_host = cfg.get("Auth", "misp_fqdn")
 auth_ssl_verify = cfg.getboolean("Auth", "ssl_verify")
 auth_session_secret = cfg.get("Auth", "session_secret")
+auth_session_cookie_secure = cfg.getboolean("Auth", "session_cookie_secure")
+auth_session_cookie_samesite = cfg.getboolean("Auth", "session_cookie_samesite")
+auth_permanent_session_lifetime = cfg.getint("Auth", "permanent_session_lifetime")

 app = Flask(__name__)
-app.secret_key = auth_session_secret
+#app.secret_key = auth_session_secret
+app.config.update(
+    SECRET_KEY=auth_session_secret,
+    SESSION_COOKIE_SECURE=auth_session_cookie_secure,
+    SESSION_COOKIE_SAMESITE=auth_session_cookie_samesite,
+    PERMANENT_SESSION_LIFETIME=timedelta(days=auth_permanent_session_lifetime)
+)

 redis_server_log = redis.StrictRedis(
        host=cfg.get('RedisGlobal', 'host'),