[Rt-commit] rt branch 5.0/add-samesite-cookie-options created. rt-5.0.2-277-g450bba0b6f
BPS Git Server
git at git.bestpractical.com
Fri Jun 17 22:37:32 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/add-samesite-cookie-options has been created
at 450bba0b6f5297f119dfe55588e587fa75dac4ba (commit)
- Log -----------------------------------------------------------------
commit 450bba0b6f5297f119dfe55588e587fa75dac4ba
Author: Brian Conry <bconry at bestpractical.com>
Date: Fri Jun 17 17:17:01 2022 -0500
Add SameSite to cookies from WebSameSiteCookies
This change adds the SameSite option to RT's session cookies, with a
default value of 'Strict', providing the most protection against CSRF
attacks.
It also provides a config option, WebSameSiteCookies to allow the value
to be changed from the default. Current standards allow values of
'Strict', 'Lax', and 'None'. Any value other than these will cause a
warning to be logged. Current standards also require the Secure option
to be set on the cookie when using the 'None' value, so a warning is
logged if that condition is detected.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 1b7720241e..d5cc69bfbd 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1400,6 +1400,20 @@ this if you display additional information on the logout page.
Set($LogoutRefresh, 1);
+=item C<$WebSameSiteCookies>
+
+By default, RT's session cookie uses the "Secure" policy for SameSite,
+preventing most classes of CSRF attacks. Some integrations of RT
+with other applications may require changing this to the "Lax" policy,
+which still provides protection against many classes of CSRF attacks.
+Setting this to the "None" policy is not recommended as it may expose
+the RT instance to CSRF attacks, and using "None" without also setting
+C<WebSecureCookies> to 1 may cause browsers to reject the cookies.
+
+=cut
+
+Set($WebSameSiteCookies, 'Strict');
+
=item C<$WebSecureCookies>
By default, RT's session cookie isn't marked as "secure". Some web
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 89276eeba7..43b5601f1a 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1778,6 +1778,26 @@ our %META;
WebRemoteUserGecos => {
Widget => '/Widgets/Form/Boolean',
},
+ WebSameSiteCookies => {
+ Widget => '/Widgets/Form/String',
+ PostLoadCheck => sub {
+ my $self = shift;
+ my $value = $self->Get('WebSameSiteCookies');
+
+ # while both of these detected conditions are against current web standards,
+ # web standards have been known to change so these are only logged as warnings.
+ if ($value !~ /^(Strict|Lax)$/i) {
+ if ($value =~ /^None$/i) {
+ if (not $self->Get('WebSecureCookies')) {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' and WebSecureCookies is not set, browsers may reject the cookies.");
+ }
+ }
+ else {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' not known to be in the standard.");
+ }
+ }
+ },
+ },
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 82bd3d04c6..6c3fcdc875 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -967,6 +967,7 @@ sub SendSessionCookie {
-name => _SessionCookieName(),
-value => $HTML::Mason::Commands::session{_session_id},
-path => RT->Config->Get('WebPath'),
+ -samesite => RT->Config->Get('WebSameSiteCookies'),
-secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
);
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list