Merge #2530

2530: disable SESSION_COOKIE_SECURE when TLS_FLAVOR=notls r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? People are unlikely to proxy everything ### Related issue(s) - closes #2527 Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2024-12-12 10:45:38 +02:00 · 2022-11-15 12:20:49 +00:00 · 2022-11-15 12:20:49 +00:00 · 40bdf7a6d9
commit 40bdf7a6d9
parent 3b150ff9a4 b9e5560fb6
1 changed files with 3 additions and 1 deletions
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@ -74,7 +74,7 @@ DEFAULT_CONFIG = {
    'SESSION_KEY_BITS': 128,
    'SESSION_TIMEOUT': 3600,
    'PERMANENT_SESSION_LIFETIME': 30*24*3600,
-    'SESSION_COOKIE_SECURE': True,
+    'SESSION_COOKIE_SECURE': None,
    'CREDENTIAL_ROUNDS': 12,
    'TLS_PERMISSIVE': True,
    'TZ': 'Etc/UTC',
@ -157,6 +157,8 @@ class ConfigManager:
        self.config['SESSION_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/3'
        self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
        self.config['SESSION_COOKIE_HTTPONLY'] = True
+        if self.config['SESSION_COOKIE_SECURE'] is None:
+            self.config['SESSION_COOKIE_SECURE'] = self.config['TLS_FLAVOR'] != 'notls'
        self.config['SESSION_PERMANENT'] = True
        self.config['SESSION_TIMEOUT'] = int(self.config['SESSION_TIMEOUT'])
        self.config['PERMANENT_SESSION_LIFETIME'] = int(self.config['PERMANENT_SESSION_LIFETIME'])