GH-112: Explicitly mark session cookie as lax

acteng · Jun 14, 2024 · 504c686 · 504c686
1 parent acd947a
commit 504c686
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/schemes/config.py b/schemes/config.py
@@ -4,6 +4,7 @@
 class Config:
     # Flask
     SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SAMESITE = "Lax"
     PERMANENT_SESSION_LIFETIME = timedelta(hours=1)
 
     # Flask-SQLAlchemy

diff --git a/tests/integration/test_auth.py b/tests/integration/test_auth.py
@@ -66,6 +66,14 @@ def test_authorize_redirect_sets_http_only_session_cookie(
         value = response.headers["Set-Cookie"].split("; ")
         assert value[0].startswith("session=") and "HttpOnly" in value
 
+    def test_authorize_redirect_sets_same_site_session_cookie(
+        self, oidc_server: StubOidcServer, client: FlaskClient
+    ) -> None:
+        response = client.get("/schemes")
+
+        value = response.headers["Set-Cookie"].split("; ")
+        assert value[0].startswith("session=") and "SameSite=Lax" in value
+
     @responses.activate
     def test_callback_logs_in(self, oidc_server: StubOidcServer, users: UserRepository, client: FlaskClient) -> None:
         users.add(User("boardman@example.com", authority_id=1))