From e3445978615286e631dbcffa347de467533908d6 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 28 Apr 2016 13:41:50 -0400 Subject: [PATCH] Ensure that the `Secure` flag is set on session cookies when under HTTPS --- app.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/app.py b/app.py index 1a7375000..42bcaf514 100644 --- a/app.py +++ b/app.py @@ -78,6 +78,19 @@ _distributed_storage_preference = os.environ.get('QUAY_DISTRIBUTED_STORAGE_PREFE if _distributed_storage_preference: app.config['DISTRIBUTED_STORAGE_PREFERENCE'] = _distributed_storage_preference +# Generate a secret key if none was specified. +if app.config['SECRET_KEY'] is None: + logger.debug('Generating in-memory secret key') + app.config['SECRET_KEY'] = generate_secret_key() + +# If the "preferred" scheme is https, then http is not allowed. Therefore, ensure we have a secure +# session cookie. +if app.config['PREFERRED_URL_SCHEME'] == 'https': + app.config['SESSION_COOKIE_SECURE'] = True + +# Load features from config. +features.import_features(app.config) + class RequestWithId(Request): request_gen = staticmethod(urn_generator(['request'])) @@ -112,13 +125,6 @@ for handler in root_logger.handlers: app.request_class = RequestWithId -# Generate a secret key if none was specified. -if app.config['SECRET_KEY'] is None: - logger.debug('Generating in-memory secret key') - app.config['SECRET_KEY'] = generate_secret_key() - -features.import_features(app.config) - # Register custom converters. class RegexConverter(BaseConverter): """ Converter for handling custom regular expression patterns in paths. """