From 07f68cb33fed2c1b8b23877446d7fd543540db7b Mon Sep 17 00:00:00 2001 From: VVX7 Date: Wed, 2 Oct 2019 19:32:39 -0400 Subject: [PATCH] chg: [authentication] configure misp-dashboard cookie policy --- config/config.cfg.default | 6 ++++++ server.py | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/config/config.cfg.default b/config/config.cfg.default index 50fa496..480991e 100644 --- a/config/config.cfg.default +++ b/config/config.cfg.default @@ -7,6 +7,12 @@ debug = False misp_fqdn = "https://misp.local" ssl_verify = True session_secret = **Change_Me** +# Only send cookies with requests over HTTPS if the cookie is marked secure. +session_cookie_secure = True +# Prevent sending cookies in all external requests including regular links. +session_cookie_samesite = Strict +# Expire session cookie after n days. +permanent_session_lifetime = 1 [Dashboard] #hours diff --git a/server.py b/server.py index 5877aca..d6fbdbb 100755 --- a/server.py +++ b/server.py @@ -7,6 +7,7 @@ import logging import math import os import re +from datetime import timedelta import random from time import gmtime as now from time import sleep, strftime @@ -36,9 +37,18 @@ server_debug = cfg.get("Server", "debug") auth_host = cfg.get("Auth", "misp_fqdn") auth_ssl_verify = cfg.getboolean("Auth", "ssl_verify") auth_session_secret = cfg.get("Auth", "session_secret") +auth_session_cookie_secure = cfg.getboolean("Auth", "session_cookie_secure") +auth_session_cookie_samesite = cfg.getboolean("Auth", "session_cookie_samesite") +auth_permanent_session_lifetime = cfg.getint("Auth", "permanent_session_lifetime") app = Flask(__name__) -app.secret_key = auth_session_secret +#app.secret_key = auth_session_secret +app.config.update( + SECRET_KEY=auth_session_secret, + SESSION_COOKIE_SECURE=auth_session_cookie_secure, + SESSION_COOKIE_SAMESITE=auth_session_cookie_samesite, + PERMANENT_SESSION_LIFETIME=timedelta(days=auth_permanent_session_lifetime) +) redis_server_log = redis.StrictRedis( host=cfg.get('RedisGlobal', 'host'),