Merge pull request #35150 from dimagi/em/formplayer-session-cookie-he…

…aders

Set `secure` and `httponly` on `formplayer_session` cookie

corehq/apps/cloudcare/middleware.py

@@ -1,6 +1,6 @@
+from django.conf import settings
 from django.utils.deprecation import MiddlewareMixin
 
-
 FORMPLAYER_SESSION_COOKIE_NAME = 'formplayer_session'
 
 
@@ -27,4 +27,5 @@ def _set_formplayer_session_cookie(request, response):
         couch_user = getattr(request, 'couch_user', None)
         if couch_user:
             if request.COOKIES.get(FORMPLAYER_SESSION_COOKIE_NAME) != couch_user.user_id:
-                response.set_cookie(FORMPLAYER_SESSION_COOKIE_NAME, couch_user.user_id)
+                response.set_cookie(FORMPLAYER_SESSION_COOKIE_NAME, couch_user.user_id,
+                                    httponly=settings.SESSION_COOKIE_HTTPONLY)

corehq/middleware.py

@@ -340,6 +340,10 @@ def get_view_func(view_fn, view_kwargs):
 
 
 class SecureCookiesMiddleware(MiddlewareMixin):
+    """Sets `secure` flag for cookies on the response object.
+    Must be come before middleware that adds cookies, because of order and layering.
+    https://docs.djangoproject.com/en/4.2/topics/http/middleware/#middleware-order-and-layering
+    """
 
     def process_response(self, request, response):
         if hasattr(response, 'cookies') and response.cookies:

settings.py

@@ -146,6 +146,7 @@
 
 MIDDLEWARE = [
     'corehq.middleware.NoCacheMiddleware',
+    'corehq.middleware.SecureCookiesMiddleware',
     'corehq.middleware.SelectiveSessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',
@@ -171,8 +172,6 @@
     'no_exceptions.middleware.NoExceptionsMiddleware',
     'corehq.apps.locations.middleware.LocationAccessMiddleware',
     'corehq.apps.cloudcare.middleware.CloudcareMiddleware',
-    # middleware that adds cookies must come before SecureCookiesMiddleware
-    'corehq.middleware.SecureCookiesMiddleware',
     'field_audit.middleware.FieldAuditMiddleware',
 ]