Merge pull request #10576 from colinux/secure-cookies

Tech: cookies avec flag `secure` et `httponly`
This commit is contained in:
Colin Darie 2024-07-08 09:33:30 +00:00 committed by GitHub
commit 3e9cb6f388
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 11 additions and 7 deletions

View file

@ -12,8 +12,8 @@ class AgentConnect::AgentController < ApplicationController
def login def login
uri, state, nonce = AgentConnectService.authorization_uri uri, state, nonce = AgentConnectService.authorization_uri
cookies.encrypted[STATE_COOKIE_NAME] = state cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production?, httponly: true }
cookies.encrypted[NONCE_COOKIE_NAME] = nonce cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production?, httponly: true }
redirect_to uri, allow_other_host: true redirect_to uri, allow_other_host: true
end end

View file

@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base
def set_locale(locale) def set_locale(locale)
if locale && locale.to_sym.in?(I18n.available_locales) if locale && locale.to_sym.in?(I18n.available_locales)
cookies[:locale] = locale cookies[:locale] = { value: locale, secure: Rails.env.production?, httponly: true }
if user_signed_in? if user_signed_in?
current_user.update(locale: locale) current_user.update(locale: locale)
end end

View file

@ -24,7 +24,8 @@ module ApplicationController::LongLivedAuthenticityToken
cookies.signed[COOKIE_NAME] = { cookies.signed[COOKIE_NAME] = {
value: csrf_token, value: csrf_token,
expires: 1.year.from_now, expires: 1.year.from_now,
httponly: true httponly: true,
secure: Rails.env.production?
} }
session[:_csrf_token] = csrf_token session[:_csrf_token] = csrf_token

View file

@ -247,7 +247,9 @@ module Instructeurs
@export_templates = current_instructeur.export_templates_for(@procedure).includes(:groupe_instructeur) @export_templates = current_instructeur.export_templates_for(@procedure).includes(:groupe_instructeur)
cookies.encrypted[cookies_export_key] = { cookies.encrypted[cookies_export_key] = {
value: DateTime.current, value: DateTime.current,
expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT,
httponly: true,
secure: Rails.env.production?
} }
respond_to do |format| respond_to do |format|

View file

@ -8,7 +8,8 @@ module TrustedDeviceConcern
cookies.encrypted[TRUSTED_DEVICE_COOKIE_NAME] = { cookies.encrypted[TRUSTED_DEVICE_COOKIE_NAME] = {
value: JSON.generate({ created_at: start_at }), value: JSON.generate({ created_at: start_at }),
expires: start_at + TRUSTED_DEVICE_PERIOD, expires: start_at + TRUSTED_DEVICE_PERIOD,
httponly: true httponly: true,
secure: Rails.env.production?
} }
end end

View file

@ -1,3 +1,3 @@
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: '_DS_session' Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?, httponly: true