Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Flask-Login cookie security settings #3044

Closed
stanhu opened this issue Nov 6, 2018 · 0 comments
Closed

Support Flask-Login cookie security settings #3044

stanhu opened this issue Nov 6, 2018 · 0 comments
Assignees
@rauchy
Labels
Backend

Comments

@stanhu
Copy link
Contributor

stanhu commented Nov 6, 2018
edited
Loading

Issue Summary

A security audit showed that the cookie settings on the Flask-Login remember_token didn't have the HttpOnly and Secure flag set. Redash uses Flask-Login, but there doesn't appear to be a way to pass along the REMEMBER_ settings: https://flask-login.readthedocs.io/en/latest#cookie-settings

Steps to Reproduce

  1. Enable HTTPS.
  2. Login to Redash.
  3. Inspect the cookies.

The HTTP-only and Secure flag are not set.

Technical details:

Here is the hack we added to the source code:

root@redash:/opt/redash/current/redash/authentication# diff __init__.py.orig __init__.py
143a144
>     app.config.update(REMEMBER_COOKIE_SECURE = True, REMEMBER_COOKIE_HTTPONLY = True)
@stanhu stanhu changed the title Support Flask-Login remember token security settings Support Flask-Login cookie security settings Nov 6, 2018
@jezdez jezdez mentioned this issue Nov 9, 2018
Closed
@arikfr arikfr added the Backend label Nov 13, 2018
@rauchy rauchy self-assigned this Dec 23, 2018
@rauchy rauchy mentioned this issue Dec 23, 2018
Closed
@rauchy rauchy added review and removed in progress labels Dec 30, 2018
@jezdez jezdez mentioned this issue Feb 6, 2019
Merged
@rauchy rauchy closed this as completed Feb 17, 2019
@rauchy rauchy removed the review label Feb 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rauchy rauchy

Labels
Backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arikfr @rauchy @stanhu