Fix SameSite cookie issue for LTI Provider. EW-449

There was an issue where external LMS system (e.g. Canvas, Blackboard) that used Open edX LTI Provider calls had cookies blocked. This update fixes this issue by defining third-party cookies to have attributes of `Secure=True` and `SameSite=None`. Details here: https://discuss.openedx.org/t/lti-xblock-and-samesite/759/5 (cherry picked from commit 28479a2966b87b16a25dbc96c19b6f5817d255de)
2020-04-10 20:09:56 -04:00
parent bb85420e91
commit 7b3525278e
6 changed files with 9 additions and 6 deletions
--- a/lms/djangoapps/email_marketing/signals.py
+++ b/lms/djangoapps/email_marketing/signals.py
@@ -116,6 +116,7 @@ def add_email_marketing_cookies(sender, response=None, user=None,
            max_age=365 * 24 * 60 * 60,  # set for 1 year
            domain=settings.SESSION_COOKIE_DOMAIN,
            path='/',
+            secure=request.is_secure()
        )
        log.info(u"sailthru_hid cookie:%s successfully retrieved for user %s", cookie, user.email)

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1472,7 +1472,9 @@ CREDIT_NOTIFICATION_CACHE_TIMEOUT = 5 * 60 * 60
 ################################# Middleware ###################################

 MIDDLEWARE = [
-    'openedx.core.lib.x_forwarded_for.middleware.XForwardedForMiddleware',
+    # Avoid issue with https://blog.heroku.com/chrome-changes-samesite-cookie
+    # Override was found here https://github.com/django/django/pull/11894
+    'django_cookies_samesite.middleware.CookiesSameSite',

    'crum.CurrentRequestUserMiddleware',

@@ -1568,9 +1570,6 @@ MIDDLEWARE = [
    # Handles automatically storing user ids in django-simple-history tables when possible.
    'simple_history.middleware.HistoryRequestMiddleware',

-    # Sets SameSite flag for session and csrf cookies in legacy versions of Django.
-    'django_cookies_samesite.middleware.CookiesSameSite',
-
    # This must be last
    'openedx.core.djangoapps.site_configuration.middleware.SessionCookieDomainOverrideMiddleware',
 ]
--- a/openedx/core/djangoapps/lang_pref/middleware.py
+++ b/openedx/core/djangoapps/lang_pref/middleware.py
@@ -77,6 +77,7 @@ class LanguagePreferenceMiddleware(MiddlewareMixin):
                    value=user_pref,
                    domain=settings.SESSION_COOKIE_DOMAIN,
                    max_age=COOKIE_DURATION,
+                    secure=request.is_secure()
                )
            else:
                response.delete_cookie(
--- a/openedx/core/djangoapps/lang_pref/tests/test_middleware.py
+++ b/openedx/core/djangoapps/lang_pref/tests/test_middleware.py
@@ -75,6 +75,7 @@ class TestUserPreferenceMiddleware(CacheIsolationTestCase):
                value=lang_pref_out,
                domain=settings.SESSION_COOKIE_DOMAIN,
                max_age=COOKIE_DURATION,
+                secure=self.request.is_secure(),
            )
        else:
            response.delete_cookie.assert_called_with(
--- a/openedx/core/djangoapps/lang_pref/views.py
+++ b/openedx/core/djangoapps/lang_pref/views.py
@@ -31,6 +31,7 @@ def update_session_language(request):
            settings.LANGUAGE_COOKIE,
            language,
            domain=settings.SESSION_COOKIE_DOMAIN,
-            max_age=COOKIE_DURATION
+            max_age=COOKIE_DURATION,
+            secure=request.is_secure(),
        )
    return response
--- a/openedx/core/djangoapps/user_authn/views/auto_auth.py
+++ b/openedx/core/djangoapps/user_authn/views/auto_auth.py
@@ -189,7 +189,7 @@ def auto_auth(request):  # pylint: disable=too-many-statements
            'user_id': user.id,
            'anonymous_id': anonymous_id_for_user(user, None),
        })
-    response.set_cookie('csrftoken', csrf(request)['csrf_token'])
+    response.set_cookie('csrftoken', csrf(request)['csrf_token'], secure=request.is_secure())
    return response