security: Send SameSite=Lax cookies.

Send the `csrftoken` and `sessionid` cookies with `SameSite=Lax`. This adds a layer of defense against CSRF attacks and matches the new default in Django 2.1: https://docs.djangoproject.com/en/2.1/releases/2.1/#samesite-cookies This can be reverted when we upgrade to Django ≥ 2.1. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2025-10-31 03:53:50 +00:00 · 2019-10-29 20:23:54 -07:00
parent 042c558bb3
commit 70f72a3ae8
5 changed files with 12 additions and 1 deletions
--- a/version.py
+++ b/version.py
@@ -26,4 +26,4 @@ LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.org/2019/03/01/zulip-2-0-relea
 #   historical commits sharing the same major version, in which case a
 #   minor version bump suffices.

-PROVISION_VERSION = '61.0'
+PROVISION_VERSION = '61.1'