Merge pull request Pylons#3300 from Pylons/feature/session-samesite-lax

Feature: Default session cookies to SameSite=Lax

CHANGES.rst

@@ -30,6 +30,13 @@ Features
   route_prefix for ``include`` and ``add_route`` calls inside the context.
   See https://github.com/Pylons/pyramid/pull/3279
 
+- Modify the builtin session implementations to support SameSite options on
+  cookies and set the default to ``'Lax'``. This affects
+  ``pyramid.session.BaseCookieSessionFactory``,
+  ``pyramid.session.SignedCookieSessionFactory``, and
+  ``pyramid.session.UnencryptedCookieSessionFactoryConfig``.
+  See https://github.com/Pylons/pyramid/pull/3300
+
 Bug Fixes
 ---------
 
@@ -59,6 +66,12 @@ Backward Incompatibilities
   from a feature removed in Pyramid 1.5 and has had no effect since then.
   See https://github.com/Pylons/pyramid/pull/3299
 
+- Modify the builtin session implementations to set ``SameSite='Lax'`` on
+  cookies. This affects ``pyramid.session.BaseCookieSessionFactory``,
+  ``pyramid.session.SignedCookieSessionFactory``, and
+  ``pyramid.session.UnencryptedCookieSessionFactoryConfig``.
+  See https://github.com/Pylons/pyramid/pull/3300
+
 Documentation Changes
 ---------------------
 

CONTRIBUTORS.txt

@@ -319,4 +319,6 @@ Contributors
 
 - Hunter Senft-Grupp, 2018/05/14
 
-- Junhak Lee, 2018/05/14
+- Junhak Lee, 2018/05/14
+
+- Alex Gaynor, 2018/05/24

pyramid/session.py

@@ -135,6 +135,7 @@ def BaseCookieSessionFactory(
     domain=None,
     secure=False,
     httponly=False,
+    samesite='Lax',
     timeout=1200,
     reissue_time=0,
     set_on_exception=True,
@@ -187,6 +188,10 @@ def BaseCookieSessionFactory(
       Hide the cookie from Javascript by setting the 'HttpOnly' flag of the
       session cookie. Default: ``False``.
 
+    ``samesite``
+      The 'samesite' option of the session cookie. Set the value to ``None``
+      to turn off the samesite option.  Default: ``'Lax'``.
+
     ``timeout``
       A number of seconds of inactivity before a session times out. If
       ``None`` then the cookie never expires. This lifetime only applies
@@ -216,6 +221,10 @@ def BaseCookieSessionFactory(
       while rendering a view. Default: ``True``.
 
     .. versionadded: 1.5a3
+
+    .. versionchanged: 1.10
+
+       Added the ``samesite`` option and made the default ``'Lax'``.
     """
 
     @implementer(ISession)
@@ -229,6 +238,7 @@ class CookieSession(dict):
         _cookie_domain = domain
         _cookie_secure = secure
         _cookie_httponly = httponly
+        _cookie_samesite = samesite
         _cookie_on_exception = set_on_exception
         _timeout = timeout if timeout is None else int(timeout)
         _reissue_time = reissue_time if reissue_time is None else int(reissue_time)
@@ -367,6 +377,7 @@ def _set_cookie(self, response):
                 domain=self._cookie_domain,
                 secure=self._cookie_secure,
                 httponly=self._cookie_httponly,
+                samesite=self._cookie_samesite,
                 )
             return True
 
@@ -382,6 +393,7 @@ def UnencryptedCookieSessionFactoryConfig(
     cookie_domain=None,
     cookie_secure=False,
     cookie_httponly=False,
+    cookie_samesite='Lax',
     cookie_on_exception=True,
     signed_serialize=signed_serialize,
     signed_deserialize=signed_deserialize,
@@ -434,6 +446,10 @@ def UnencryptedCookieSessionFactoryConfig(
     ``cookie_httponly``
       The 'httpOnly' flag of the session cookie.
 
+    ``cookie_samesite``
+      The 'samesite' option of the session cookie. Set the value to ``None``
+      to turn off the samesite option.  Default: ``'Lax'``.
+
     ``cookie_on_exception``
       If ``True``, set a session cookie even if an exception occurs
       while rendering a view.
@@ -447,6 +463,10 @@ def UnencryptedCookieSessionFactoryConfig(
       A callable which takes a signed and serialized data structure in bytes
       and a secret and returns the original data structure if the signature
       is valid. Default: ``signed_deserialize`` (using pickle).
+
+    .. versionchanged: 1.10
+
+       Added the ``samesite`` option and made the default ``'Lax'``.
     """
 
     class SerializerWrapper(object):
@@ -469,6 +489,7 @@ def dumps(self, appstruct):
         domain=cookie_domain,
         secure=cookie_secure,
         httponly=cookie_httponly,
+        samesite=cookie_samesite,
         timeout=timeout,
         reissue_time=0, # to keep session.accessed == session.renewed
         set_on_exception=cookie_on_exception,
@@ -491,6 +512,7 @@ def SignedCookieSessionFactory(
     domain=None,
     secure=False,
     httponly=False,
+    samesite='Lax',
     set_on_exception=True,
     timeout=1200,
     reissue_time=0,
@@ -553,6 +575,10 @@ def SignedCookieSessionFactory(
       Hide the cookie from Javascript by setting the 'HttpOnly' flag of the
       session cookie. Default: ``False``.
 
+    ``samesite``
+      The 'samesite' option of the session cookie. Set the value to ``None``
+      to turn off the samesite option.  Default: ``'Lax'``.
+
     ``timeout``
       A number of seconds of inactivity before a session times out. If
       ``None`` then the cookie never expires. This lifetime only applies
@@ -589,6 +615,10 @@ def SignedCookieSessionFactory(
       the :class:`pyramid.session.PickleSerializer` serializer will be used.
 
     .. versionadded: 1.5a3
+
+    .. versionchanged: 1.10
+
+       Added the ``samesite`` option and made the default ``Lax``.
     """
     if serializer is None:
         serializer = PickleSerializer()
@@ -608,6 +638,7 @@ def SignedCookieSessionFactory(
         domain=domain,
         secure=secure,
         httponly=httponly,
+        samesite=samesite,
         timeout=timeout,
         reissue_time=reissue_time,
         set_on_exception=set_on_exception,

pyramid/tests/test_session.py

@@ -145,13 +145,14 @@ def test__set_cookie_options(self):
         response = Response()
         self.assertEqual(session._set_cookie(response), True)
         cookieval = response.headerlist[-1][1]
-        val, domain, path, secure, httponly = [x.strip() for x in
-                                               cookieval.split(';')]
+        val, domain, path, secure, httponly, samesite = [x.strip() for x in
+                                                         cookieval.split(';')]
         self.assertTrue(val.startswith('abc='))
         self.assertEqual(domain, 'Domain=localhost')
         self.assertEqual(path, 'Path=/foo')
         self.assertEqual(secure, 'secure')
         self.assertEqual(httponly, 'HttpOnly')
+        self.assertEqual(samesite, 'SameSite=Lax')
 
     def test_flash_default(self):
         request = testing.DummyRequest()
@@ -503,7 +504,7 @@ def test_serialize_option(self):
         expected_cookieval = dummy_signed_serialize(
             (session.accessed, session.created, {'key': 'value'}), secret)
         response = Response()
-        response.set_cookie('session', expected_cookieval)
+        response.set_cookie('session', expected_cookieval, samesite='Lax')
         expected_cookie = response.headerlist[-1][1]
         self.assertEqual(cookie, expected_cookie)
 

setup.py

@@ -29,7 +29,7 @@ def readfile(name):
     'setuptools',
     'translationstring >= 0.4',  # py3 compat
     'venusian >= 1.0',  # ``ignore``
-    'webob >= 1.8.0',  # acceptparse.create_accept_header
+    'webob >= 1.8.2',  # cookies.make_cookie allows non-bytes samesite
     'zope.deprecation >= 3.5.0',  # py3 compat
     'zope.interface >= 3.8.0',  # has zope.interface.registry
 ]