diff --git a/lms/djangoapps/email_marketing/signals.py b/lms/djangoapps/email_marketing/signals.py index 76271d45c9..5ac4ac95dd 100644 --- a/lms/djangoapps/email_marketing/signals.py +++ b/lms/djangoapps/email_marketing/signals.py @@ -116,6 +116,7 @@ def add_email_marketing_cookies(sender, response=None, user=None, max_age=365 * 24 * 60 * 60, # set for 1 year domain=settings.SESSION_COOKIE_DOMAIN, path='/', + secure=request.is_secure() ) log.info(u"sailthru_hid cookie:%s successfully retrieved for user %s", cookie, user.email) diff --git a/lms/envs/common.py b/lms/envs/common.py index f6796d5ada..833b292acd 100644 --- a/lms/envs/common.py +++ b/lms/envs/common.py @@ -1472,7 +1472,9 @@ CREDIT_NOTIFICATION_CACHE_TIMEOUT = 5 * 60 * 60 ################################# Middleware ################################### MIDDLEWARE = [ - 'openedx.core.lib.x_forwarded_for.middleware.XForwardedForMiddleware', + # Avoid issue with https://blog.heroku.com/chrome-changes-samesite-cookie + # Override was found here https://github.com/django/django/pull/11894 + 'django_cookies_samesite.middleware.CookiesSameSite', 'crum.CurrentRequestUserMiddleware', @@ -1568,9 +1570,6 @@ MIDDLEWARE = [ # Handles automatically storing user ids in django-simple-history tables when possible. 'simple_history.middleware.HistoryRequestMiddleware', - # Sets SameSite flag for session and csrf cookies in legacy versions of Django. - 'django_cookies_samesite.middleware.CookiesSameSite', - # This must be last 'openedx.core.djangoapps.site_configuration.middleware.SessionCookieDomainOverrideMiddleware', ] diff --git a/openedx/core/djangoapps/lang_pref/middleware.py b/openedx/core/djangoapps/lang_pref/middleware.py index c3c5fc1b17..cef57cfc56 100644 --- a/openedx/core/djangoapps/lang_pref/middleware.py +++ b/openedx/core/djangoapps/lang_pref/middleware.py @@ -77,6 +77,7 @@ class LanguagePreferenceMiddleware(MiddlewareMixin): value=user_pref, domain=settings.SESSION_COOKIE_DOMAIN, max_age=COOKIE_DURATION, + secure=request.is_secure() ) else: response.delete_cookie( diff --git a/openedx/core/djangoapps/lang_pref/tests/test_middleware.py b/openedx/core/djangoapps/lang_pref/tests/test_middleware.py index dc78d5445a..0c699836db 100644 --- a/openedx/core/djangoapps/lang_pref/tests/test_middleware.py +++ b/openedx/core/djangoapps/lang_pref/tests/test_middleware.py @@ -75,6 +75,7 @@ class TestUserPreferenceMiddleware(CacheIsolationTestCase): value=lang_pref_out, domain=settings.SESSION_COOKIE_DOMAIN, max_age=COOKIE_DURATION, + secure=self.request.is_secure(), ) else: response.delete_cookie.assert_called_with( diff --git a/openedx/core/djangoapps/lang_pref/views.py b/openedx/core/djangoapps/lang_pref/views.py index bc85afe334..07077920d0 100644 --- a/openedx/core/djangoapps/lang_pref/views.py +++ b/openedx/core/djangoapps/lang_pref/views.py @@ -31,6 +31,7 @@ def update_session_language(request): settings.LANGUAGE_COOKIE, language, domain=settings.SESSION_COOKIE_DOMAIN, - max_age=COOKIE_DURATION + max_age=COOKIE_DURATION, + secure=request.is_secure(), ) return response diff --git a/openedx/core/djangoapps/user_authn/views/auto_auth.py b/openedx/core/djangoapps/user_authn/views/auto_auth.py index 4e24e3389f..6e4a9a8bc3 100644 --- a/openedx/core/djangoapps/user_authn/views/auto_auth.py +++ b/openedx/core/djangoapps/user_authn/views/auto_auth.py @@ -189,7 +189,7 @@ def auto_auth(request): # pylint: disable=too-many-statements 'user_id': user.id, 'anonymous_id': anonymous_id_for_user(user, None), }) - response.set_cookie('csrftoken', csrf(request)['csrf_token']) + response.set_cookie('csrftoken', csrf(request)['csrf_token'], secure=request.is_secure()) return response