Merge pull request #11358 from edx/release

Hotfix for MA-1981 and safe sessions

cms/envs/bok_choy.py

@@ -120,9 +120,8 @@ MOCK_SEARCH_BACKING_FILE = (
     TEST_ROOT / "index_file.dat"
 ).abspath()
 
-# Generate a random UUID so that different runs of acceptance tests don't break each other
-import uuid
-SECRET_KEY = uuid.uuid4().hex
+# this secret key should be the same as lms/envs/bok_choy.py's
+SECRET_KEY = "very_secret_bok_choy_key"
 
 #####################################################################
 # Lastly, see if the developer has any local overrides.

cms/envs/common.py

@@ -310,7 +310,11 @@ MIDDLEWARE_CLASSES = (
     'django.middleware.cache.UpdateCacheMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
-    'django.contrib.sessions.middleware.SessionMiddleware',
+
+    # Instead of SessionMiddleware, we use a more secure version
+    # 'django.contrib.sessions.middleware.SessionMiddleware',
+    'openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware',
+
     'method_override.middleware.MethodOverrideMiddleware',
 
     # Instead of AuthenticationMiddleware, we use a cache-backed version