[Rt-commit] rt branch 5.0/add-samesite-cookie-options created. rt-5.0.2-284-gb682fb1fb3
BPS Git Server
git at git.bestpractical.com
Tue Jun 28 13:57:25 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/add-samesite-cookie-options has been created
at b682fb1fb3d5ee0afef3595c0c8605573cc6726e (commit)
- Log -----------------------------------------------------------------
commit b682fb1fb3d5ee0afef3595c0c8605573cc6726e
Author: Brian Conry <bconry at bestpractical.com>
Date: Tue Jun 28 08:55:29 2022 -0500
Tests require $WebSecureCookies=0
Because the tests don't use https to talk to the server they need
WebSecureCookie set to 0.
diff --git a/lib/RT/Test.pm b/lib/RT/Test.pm
index e064675385..7972b06b18 100644
--- a/lib/RT/Test.pm
+++ b/lib/RT/Test.pm
@@ -313,6 +313,7 @@ Set( \$WebPath, "");
Set( \@LexiconLanguages, qw(en zh_TW zh_CN fr ja));
Set( \$RTAddressRegexp , qr/^bad_re_that_doesnt_match\$/i);
Set( \$ShowHistory, "always");
+Set( \$WebSecureCookies, 0);
};
if ( $ENV{'RT_TEST_DB_SID'} ) { # oracle case
print $config "Set( \$DatabaseName , '$ENV{'RT_TEST_DB_SID'}' );\n";
commit 7cd2ca4722241f3833b51ff697651ef5182314ab
Author: Brian Conry <bconry at bestpractical.com>
Date: Mon Jun 27 16:49:03 2022 -0500
Update default value for WebSecureCookie
Previously $WebSecureCookie defaulted to '0', so RT did not set the
'Secure' attribute on the session cookies.
This changes the default to '1' so that session cookies are flagged as
'Secure' by default. This will generally cause browsers to require an
SSL connection to the server and may also change how the cookies are
cached.
diff --git a/docs/UPGRADING-5.0 b/docs/UPGRADING-5.0
index 2d7db363a6..bbdfbdc556 100644
--- a/docs/UPGRADING-5.0
+++ b/docs/UPGRADING-5.0
@@ -465,4 +465,25 @@ you can try switching to EXACT and testing performance after upgrading.
=back
+=head1 UPGRADING FROM 5.0.3 AND EARLIER
+
+=over 4
+
+=item * Updated defaults for web session cookies
+
+The previous default value for the configuration option C<$WebSecureCookies>
+was '0', meaning that RT did not, by default, set the C<Secure> option on
+session cookies. The default for this option has been changed to '1', which
+will require all users to connect to the RT instance over SSL and will trigger
+other changes in browser behavior, such as cookie caching.
+
+RT previously did not set a C<SameSite> policy for session cookies. How this
+is handled by browsers varies. RT 5.0.4 introcuces the configuration option
+C<$WebSameSiteCOokies> with a default value of 'Lax', which provides
+additional defense against CSRF attacks in some browsers. See
+L<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite>
+for more details on valid values, their meaning, and browser support.
+
+=back
+
=cut
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6df0e7cbb8..5e3194d264 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1415,17 +1415,16 @@ Set($WebSameSiteCookies, 'Lax');
=item C<$WebSecureCookies>
-By default, RT's session cookie isn't marked as "secure". Some web
+By default, RT's session cookie is marked as "secure". Some web
browsers will treat secure cookies more carefully than non-secure
ones, being careful not to write them to disk, only sending them over
-an SSL secured connection, and so on. To enable this behavior, set
-C<$WebSecureCookies> to 1. NOTE: You probably don't want to turn this
-on I<unless> users are only connecting via SSL encrypted HTTPS
-connections.
+an SSL secured connection, and so on. To disable this behavior, set
+C<$WebSecureCookies> to 0. NOTE: You probably don't want to turn this
+off I<unless> user connections to RT are secured by some other method.
=cut
-Set($WebSecureCookies, 0);
+Set($WebSecureCookies, 1);
=item C<$WebHttpOnlyCookies>
commit 4b910c9808446e23fee83a23c526989b5ae7e1aa
Author: Brian Conry <bconry at bestpractical.com>
Date: Fri Jun 17 17:17:01 2022 -0500
Add SameSite to cookies from WebSameSiteCookies
This change adds the SameSite option to RT's session cookies, with a
default value of 'Lax', providing a reasonable amount of protection
against CSRF attacks while still allowing most integrations of RT with
other systems.
It also provides a config option, WebSameSiteCookies to allow the value
to be changed from the default. Current standards allow values of
'Strict', 'Lax', and 'None'. Any value other than these will cause a
warning to be logged. Current standards also require the Secure option
to be set on the cookie when using the 'None' value, so a warning is
logged if 'None' is specified and WebSecureCookies isn't set.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 1b7720241e..6df0e7cbb8 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1400,6 +1400,19 @@ this if you display additional information on the logout page.
Set($LogoutRefresh, 1);
+=item C<$WebSameSiteCookies>
+
+By default, RT's session cookie uses the "Lax" policy for SameSite,
+preventing many classes of CSRF attacks. Other possible values are
+"Secure", which provides additional protection but may break some
+integrations of RT with other applications, and "None", which provides
+the least protection against CSRF attacks and also requires C<WebSecureCookies>
+to be set to 1.
+
+=cut
+
+Set($WebSameSiteCookies, 'Lax');
+
=item C<$WebSecureCookies>
By default, RT's session cookie isn't marked as "secure". Some web
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 89276eeba7..43b5601f1a 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1778,6 +1778,26 @@ our %META;
WebRemoteUserGecos => {
Widget => '/Widgets/Form/Boolean',
},
+ WebSameSiteCookies => {
+ Widget => '/Widgets/Form/String',
+ PostLoadCheck => sub {
+ my $self = shift;
+ my $value = $self->Get('WebSameSiteCookies');
+
+ # while both of these detected conditions are against current web standards,
+ # web standards have been known to change so these are only logged as warnings.
+ if ($value !~ /^(Strict|Lax)$/i) {
+ if ($value =~ /^None$/i) {
+ if (not $self->Get('WebSecureCookies')) {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' and WebSecureCookies is not set, browsers may reject the cookies.");
+ }
+ }
+ else {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' not known to be in the standard.");
+ }
+ }
+ },
+ },
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 82bd3d04c6..6c3fcdc875 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -967,6 +967,7 @@ sub SendSessionCookie {
-name => _SessionCookieName(),
-value => $HTML::Mason::Commands::session{_session_id},
-path => RT->Config->Get('WebPath'),
+ -samesite => RT->Config->Get('WebSameSiteCookies'),
-secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
);
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list