[Rt-commit] rt branch 5.0/add-samesite-cookie-options created. rt-5.0.2-277-g01c1c3e7dc
BPS Git Server
git at git.bestpractical.com
Fri Jun 17 22:53:08 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/add-samesite-cookie-options has been created
at 01c1c3e7dc0dbbc23582203af2ab442e939faaf9 (commit)
- Log -----------------------------------------------------------------
commit 01c1c3e7dc0dbbc23582203af2ab442e939faaf9
Author: Brian Conry <bconry at bestpractical.com>
Date: Fri Jun 17 17:17:01 2022 -0500
Add SameSite to cookies from WebSameSiteCookies
This change adds the SameSite option to RT's session cookies, with a
default value of 'Lax', providing a reasonable amount of protection
against CSRF attacks while still allowing most integrations of RT with
other systems.
It also provides a config option, WebSameSiteCookies to allow the value
to be changed from the default. Current standards allow values of
'Strict', 'Lax', and 'None'. Any value other than these will cause a
warning to be logged. Current standards also require the Secure option
to be set on the cookie when using the 'None' value, so a warning is
logged if 'None' is specified and WebSecureCookies isn't set.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 1b7720241e..6df0e7cbb8 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1400,6 +1400,19 @@ this if you display additional information on the logout page.
Set($LogoutRefresh, 1);
+=item C<$WebSameSiteCookies>
+
+By default, RT's session cookie uses the "Lax" policy for SameSite,
+preventing many classes of CSRF attacks. Other possible values are
+"Secure", which provides additional protection but may break some
+integrations of RT with other applications, and "None", which provides
+the least protection against CSRF attacks and also requires C<WebSecureCookies>
+to be set to 1.
+
+=cut
+
+Set($WebSameSiteCookies, 'Lax');
+
=item C<$WebSecureCookies>
By default, RT's session cookie isn't marked as "secure". Some web
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 89276eeba7..43b5601f1a 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1778,6 +1778,26 @@ our %META;
WebRemoteUserGecos => {
Widget => '/Widgets/Form/Boolean',
},
+ WebSameSiteCookies => {
+ Widget => '/Widgets/Form/String',
+ PostLoadCheck => sub {
+ my $self = shift;
+ my $value = $self->Get('WebSameSiteCookies');
+
+ # while both of these detected conditions are against current web standards,
+ # web standards have been known to change so these are only logged as warnings.
+ if ($value !~ /^(Strict|Lax)$/i) {
+ if ($value =~ /^None$/i) {
+ if (not $self->Get('WebSecureCookies')) {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' and WebSecureCookies is not set, browsers may reject the cookies.");
+ }
+ }
+ else {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' not known to be in the standard.");
+ }
+ }
+ },
+ },
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 82bd3d04c6..6c3fcdc875 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -967,6 +967,7 @@ sub SendSessionCookie {
-name => _SessionCookieName(),
-value => $HTML::Mason::Commands::session{_session_id},
-path => RT->Config->Get('WebPath'),
+ -samesite => RT->Config->Get('WebSameSiteCookies'),
-secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
);
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list