Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove server settings from the session cookie #4927

Merged
merged 1 commit into from
Jan 16, 2025
Merged

Remove server settings from the session cookie #4927

merged 1 commit into from
Jan 16, 2025

Conversation

axelstudios
Copy link
Member

@axelstudios axelstudios commented Jan 15, 2025
edited
Loading

Any background context you want to provide?

The sessionid cookie should have only the minimal session-specific data necessary, and not server settings that can become out-of-sync if stored in session tokens

What's this PR do?

Overrides the two_factor.views.core.LoginView.render method to make the backend setting INCLUDE_ACCT_REG available to the view template without storing it in each user's session cookie

How should this be manually tested?

  1. In local_untracked.py toggle the INCLUDE_ACCT_REG = True variable and check that the login page correctly renders (or hides) the Create my Account button

  2. Optionally inspect the session cookie data and ensure the include_acct_reg is no longer included. Copy your sessionid cookie value and run the following commands:

    # shell
export DJANGO_SETTINGS_MODULE="config.settings.local_untracked"
    # python
from django.conf import settings
from django.core import signing

cookie_value = "YOUR_SESSIONID_COOKIE_VALUE"

decoded = signing.loads(
    cookie_value,
    key=settings.SECRET_KEY,
    salt="django.contrib.sessions.backends.signed_cookies",
)

print(decoded)

    The new session data (for a logged-out user) should show the following:

    {
  "wizard_custom_login_view": {
    "step": "auth",
    "step_data": {},
    "step_files": {},
    "extra_data": {},
    "validated_step_data": {}
  }
}

@axelstudios axelstudios added the Maintenance Tag as maintenance if the issue relates to general cleanup, maintenance, etc. Do not delete label. label Jan 15, 2025
@axelstudios axelstudios requested a review from perryr16 January 15, 2025 23:44
@axelstudios axelstudios force-pushed the task/remove-server-settings-from-session-cookie branch from 3a1a456 to b8e0850 Compare January 15, 2025 23:47
perryr16
perryr16 approved these changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@perryr16 perryr16 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works great 🏆

@axelstudios axelstudios merged commit 61071bf into develop Jan 16, 2025
9 checks passed
@axelstudios axelstudios deleted the task/remove-server-settings-from-session-cookie branch January 16, 2025 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perryr16 perryr16 perryr16 approved these changes

Assignees
No one assigned
Labels
Maintenance Tag as maintenance if the issue relates to general cleanup, maintenance, etc. Do not delete label.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@axelstudios @perryr16