From 73b1222f6b5246f64eb17c4b56556f7d05138430 Mon Sep 17 00:00:00 2001
From: Till Maas <opensource@till.name>
Date: Wed, 4 Feb 2015 15:34:31 +0100
Subject: [PATCH] Make other flask session cookies secure

---
 roles/anitya/backend/templates/anitya.cfg              | 3 +++
 roles/anitya/backend/templates/anitya_admin.cfg        | 3 +++
 roles/blockerbugs/templates/blockerbugs-settings.py.j2 | 3 +++
 roles/elections/templates/fedora-elections.cfg         | 3 +++
 roles/fedocal/templates/fedocal.cfg                    | 3 +++
 roles/kerneltest/templates/kerneltest.cfg              | 3 +++
 roles/nuancier/templates/nuancier.cfg                  | 3 +++
 roles/tagger/templates/fedoratagger.cfg.j2             | 3 +++
 8 files changed, 24 insertions(+)

diff --git a/roles/anitya/backend/templates/anitya.cfg b/roles/anitya/backend/templates/anitya.cfg
index eed8c5c5f9..5e886e91b0 100644
--- a/roles/anitya/backend/templates/anitya.cfg
+++ b/roles/anitya/backend/templates/anitya.cfg
@@ -24,3 +24,6 @@ CNUCNU_WEB_FEDORA_OPENID = 'https://id.fedoraproject.org'
 
 # This is required to fix login
 PREFERRED_URL_SCHEME='https'
+
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
diff --git a/roles/anitya/backend/templates/anitya_admin.cfg b/roles/anitya/backend/templates/anitya_admin.cfg
index d157198c23..04ce54da74 100644
--- a/roles/anitya/backend/templates/anitya_admin.cfg
+++ b/roles/anitya/backend/templates/anitya_admin.cfg
@@ -24,3 +24,6 @@ CNUCNU_WEB_FEDORA_OPENID = 'https://id.fedoraproject.org'
 
 # This is required to fix login
 PREFERRED_URL_SCHEME='https'
+
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
diff --git a/roles/blockerbugs/templates/blockerbugs-settings.py.j2 b/roles/blockerbugs/templates/blockerbugs-settings.py.j2
index d462ecea74..60754b9a96 100644
--- a/roles/blockerbugs/templates/blockerbugs-settings.py.j2
+++ b/roles/blockerbugs/templates/blockerbugs-settings.py.j2
@@ -21,3 +21,6 @@ STREAM_LOGGING = False
 
 # to fix login issue for folks who are part of many FAS groups
 PREFERRED_URL_SCHEME='https'
+
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
diff --git a/roles/elections/templates/fedora-elections.cfg b/roles/elections/templates/fedora-elections.cfg
index 9331d0beed..10a7fe6ef3 100644
--- a/roles/elections/templates/fedora-elections.cfg
+++ b/roles/elections/templates/fedora-elections.cfg
@@ -31,6 +31,9 @@ FAS_CHECK_CERT = True
 # This is required to fix login
 PREFERRED_URL_SCHEME='https'
 
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
+
 DOGPILE_CACHE = {
     'backend': 'dogpile.cache.memcached',
     'arguments': {
diff --git a/roles/fedocal/templates/fedocal.cfg b/roles/fedocal/templates/fedocal.cfg
index d21e0b0b1a..2c00bdc776 100644
--- a/roles/fedocal/templates/fedocal.cfg
+++ b/roles/fedocal/templates/fedocal.cfg
@@ -33,6 +33,9 @@ PATH_ALEMBIC_INI='/etc/fedocal/alembic.ini'
 # This is required to fix login
 PREFERRED_URL_SCHEME='https'
 
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
+
 {% if env == 'staging' %}
 APP_URL = 'https://apps.stg.fedoraproject.org/calendar/'
 FAS_OPENID_ENDPOINT = 'https://id.stg.fedoraproject.org/'
diff --git a/roles/kerneltest/templates/kerneltest.cfg b/roles/kerneltest/templates/kerneltest.cfg
index 076f0ebfd3..6552cb1dcd 100644
--- a/roles/kerneltest/templates/kerneltest.cfg
+++ b/roles/kerneltest/templates/kerneltest.cfg
@@ -32,6 +32,9 @@ MAX_CONTENT_LENGTH = 1024 * 10
 # This is required to fix login
 PREFERRED_URL_SCHEME='https'
 
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
+
 {% if env == 'staging' %}
 FAS_OPENID_ENDPOINT = 'https://id.stg.fedoraproject.org/'
 {% endif %}
diff --git a/roles/nuancier/templates/nuancier.cfg b/roles/nuancier/templates/nuancier.cfg
index 5c7c704eb3..3c2781521b 100644
--- a/roles/nuancier/templates/nuancier.cfg
+++ b/roles/nuancier/templates/nuancier.cfg
@@ -46,6 +46,9 @@ THUMB_SIZE = (256, 256)
 # This is required to fix login in stg
 PREFERRED_URL_SCHEME='https'
 
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
+
 # dogpile.cache configuration to work with memcached
 NUANCIER_CACHE_BACKEND = 'dogpile.cache.memcached'
 NUANCIER_CACHE_KWARGS = {'arguments' : {
diff --git a/roles/tagger/templates/fedoratagger.cfg.j2 b/roles/tagger/templates/fedoratagger.cfg.j2
index 788eac9dc9..27040034bc 100644
--- a/roles/tagger/templates/fedoratagger.cfg.j2
+++ b/roles/tagger/templates/fedoratagger.cfg.j2
@@ -12,6 +12,9 @@ FAS_OPENID_ENDPOINT = 'http://id.fedoraproject.org'
 # This is required for openid to work in stg.  Might as well for prod too.
 PREFERRED_URL_SCHEME = 'https'
 
+# Make browsers send session cookie only via HTTPS
+SESSION_COOKIE_SECURE = True
+
 # Stuff for toscawidgets2
 RES_PREFIX = '/tagger/_res/'