diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index 6116b1f2b..c8ab572e2 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -12,8 +12,8 @@ class AgentConnect::AgentController < ApplicationController def login uri, state, nonce = AgentConnectService.authorization_uri - cookies.encrypted[STATE_COOKIE_NAME] = state - cookies.encrypted[NONCE_COOKIE_NAME] = nonce + cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production?, httponly: true } + cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production?, httponly: true } redirect_to uri, allow_other_host: true end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bc172fe47..659b44a31 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base def set_locale(locale) if locale && locale.to_sym.in?(I18n.available_locales) - cookies[:locale] = locale + cookies[:locale] = { value: locale, secure: Rails.env.production?, httponly: true } if user_signed_in? current_user.update(locale: locale) end diff --git a/app/controllers/application_controller/long_lived_authenticity_token.rb b/app/controllers/application_controller/long_lived_authenticity_token.rb index cb10c52bd..54eb16f31 100644 --- a/app/controllers/application_controller/long_lived_authenticity_token.rb +++ b/app/controllers/application_controller/long_lived_authenticity_token.rb @@ -24,7 +24,8 @@ module ApplicationController::LongLivedAuthenticityToken cookies.signed[COOKIE_NAME] = { value: csrf_token, expires: 1.year.from_now, - httponly: true + httponly: true, + secure: Rails.env.production? } session[:_csrf_token] = csrf_token diff --git a/app/controllers/instructeurs/procedures_controller.rb b/app/controllers/instructeurs/procedures_controller.rb index f737ea591..c61b19aa4 100644 --- a/app/controllers/instructeurs/procedures_controller.rb +++ b/app/controllers/instructeurs/procedures_controller.rb @@ -247,7 +247,9 @@ module Instructeurs @export_templates = current_instructeur.export_templates_for(@procedure).includes(:groupe_instructeur) cookies.encrypted[cookies_export_key] = { value: DateTime.current, - expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT + expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT, + httponly: true, + secure: Rails.env.production? } respond_to do |format| diff --git a/app/models/concerns/trusted_device_concern.rb b/app/models/concerns/trusted_device_concern.rb index 2aa895893..1765f565c 100644 --- a/app/models/concerns/trusted_device_concern.rb +++ b/app/models/concerns/trusted_device_concern.rb @@ -8,7 +8,8 @@ module TrustedDeviceConcern cookies.encrypted[TRUSTED_DEVICE_COOKIE_NAME] = { value: JSON.generate({ created_at: start_at }), expires: start_at + TRUSTED_DEVICE_PERIOD, - httponly: true + httponly: true, + secure: Rails.env.production? } end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index f110f4cb3..a38b32cae 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -Rails.application.config.session_store :cookie_store, key: '_DS_session' +Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?, httponly: true