From b1e7d8b51d425d8cb797186a3b000de7399e06c4 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Mon, 6 Apr 2020 15:04:31 -0700 Subject: [PATCH] settings: Harden session and CSRF cookies with __Host- prefix. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This defends against cross-origin session fixation attacks. Renaming the cookies means this one-time upgrade will have the unfortunate side effect of logging everyone out, but they’ll get more secure sessions in return. Signed-off-by: Anders Kaseorg --- docs/overview/changelog.md | 3 +++ zproject/settings.py | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/docs/overview/changelog.md b/docs/overview/changelog.md index d47e46d4d4..33b48eb7a9 100644 --- a/docs/overview/changelog.md +++ b/docs/overview/changelog.md @@ -22,6 +22,9 @@ in bursts. **Upgrade notes:** +- Logged in users may be logged out during this one-time upgrade to + transition them to more secure session cookies. + **Full feature changelog:** - Added new options to control whether the incoming email integration diff --git a/zproject/settings.py b/zproject/settings.py index 4ad1d59de8..63f0e09969 100644 --- a/zproject/settings.py +++ b/zproject/settings.py @@ -388,6 +388,10 @@ if PRODUCTION: SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True + # https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.2 + SESSION_COOKIE_NAME = "__Host-sessionid" + CSRF_COOKIE_NAME = "__Host-csrftoken" + # Prevent Javascript from reading the CSRF token from cookies. Our code gets # the token from the DOM, which means malicious code could too. But hiding the # cookie will slow down some attackers.