settings: Harden session and CSRF cookies with __Host- prefix.

This defends against cross-origin session fixation attacks. Renaming the cookies means this one-time upgrade will have the unfortunate side effect of logging everyone out, but they’ll get more secure sessions in return. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2025-10-23 04:52:12 +00:00 · 2020-04-06 15:04:31 -07:00
parent f47a9408cd
commit b1e7d8b51d
2 changed files with 7 additions and 0 deletions
--- a/docs/overview/changelog.md
+++ b/docs/overview/changelog.md
@@ -22,6 +22,9 @@ in bursts.

 **Upgrade notes:**

+- Logged in users may be logged out during this one-time upgrade to
+  transition them to more secure session cookies.
+
 **Full feature changelog:**

 - Added new options to control whether the incoming email integration
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -388,6 +388,10 @@ if PRODUCTION:
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True

+    # https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.2
+    SESSION_COOKIE_NAME = "__Host-sessionid"
+    CSRF_COOKIE_NAME = "__Host-csrftoken"
+
 # Prevent Javascript from reading the CSRF token from cookies.  Our code gets
 # the token from the DOM, which means malicious code could too.  But hiding the
 # cookie will slow down some attackers.