open.source/whoogle-search
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use lax for session SameSite value (not strict)

Browse Source 
SESSION_COOKIE_SAMESITE must be set to 'lax' to allow the user's
previous session to persist when accessing the instance from an external
link. Setting this value to 'strict' causes Whoogle to revalidate a new
session, and fail, resulting in cookies being disabled.

This could be re-evaluated if Whoogle ever switches to client side
configuration instead.

Fixes #749
This commit is contained in:
Ben Busby 2022-05-10 17:40:58 -06:00
parent 5d521be5d9
commit f5d599e7d2
No known key found for this signature in database
GPG Key ID: B9B7231E01D924A1
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/__init__.py
View File

@ -26,10 +26,18 @@ if os.getenv('WHOOGLE_DOTENV', ''):
load_dotenv(os.path.join(os.path.dirname(os.path.abspath(__file__)), load_dotenv(os.path.join(os.path.dirname(os.path.abspath(__file__)),
dotenv_path)) dotenv_path))
# Session values
# NOTE: SESSION_COOKIE_SAMESITE must be set to 'lax' to allow the user's
# previous session to persist when accessing the instance from an external
# link. Setting this value to 'strict' causes Whoogle to revalidate a new
# session, and fail, resulting in cookies being disabled.
#
# This could be re-evaluated if Whoogle ever switches to client side
# configuration instead.
app.default_key = generate_user_key() app.default_key = generate_user_key()
app.config['SECRET_KEY'] = os.urandom(32) app.config['SECRET_KEY'] = os.urandom(32)
app.config['SESSION_TYPE'] = 'filesystem' app.config['SESSION_TYPE'] = 'filesystem'
app.config['SESSION_COOKIE_SAMESITE'] = 'strict' app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
if os.getenv('HTTPS_ONLY'): if os.getenv('HTTPS_ONLY'):
app.config['SESSION_COOKIE_NAME'] = '__Secure-session' app.config['SESSION_COOKIE_NAME'] = '__Secure-session'