Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Journalist API responses include Set-Cookie/Vary headers #3876

Closed
heartsucker opened this issue Oct 15, 2018 · 4 comments
Closed

Journalist API responses include Set-Cookie/Vary headers #3876

heartsucker opened this issue Oct 15, 2018 · 4 comments
Labels
able to reproduce app bug

Comments

@heartsucker
Copy link
Contributor

heartsucker commented Oct 15, 2018
edited

Description

The API includes the Set-Cookie header and Vary: Cookie when they should not as they are not relevant to accessing the API.

Steps to Reproduce

In one terminal: make dev.
In another: http HEAD localhost:8081/api/v1

Expected Behavior

HTTP/1.0 200 OK
Content-Length: 198
Content-Type: application/json
Date: Mon, 15 Oct 2018 13:06:32 GMT
Server: Werkzeug/0.14.1 Python/2.7.6

Actual Behavior

HTTP/1.0 200 OK
Content-Length: 198
Content-Type: application/json
Date: Mon, 15 Oct 2018 13:06:32 GMT
Server: Werkzeug/0.14.1 Python/2.7.6
Set-Cookie: js=eyJleHBpcmVzIjp7IiBkIjoiTW9uLCAxNSBPY3QgMjAxOCAxNTowNjozMiBHTVQifX0.DqYiWA.-hH2qepnrLDYF8HV79vsn29TfhY; HttpOnly; Path=/
Vary: Cookie

Comments

I have tried implementing and override to SecureSessionInterface that doesn't set a cookie if the endpoint matches the API endpoint, but... no dice so far.
@vivekanand1101
Copy link

@heartsucker are you still working on this or i can give it a try?

@heartsucker
Copy link
Contributor Author

I'm not actively working on it, so if you'd like to give it a try that'd be very helpful!

@vivekanand1101
Copy link

batman on it.

@vivekanand1101
Copy link

I am not able to give it as much time as i thought i would. So, if anyone wants to take this, they are free to

rjmackay added a commit to rjmackay/securedrop that referenced this issue Nov 24, 2018
@rjmackay
Never set session cookies for API requests
a82b7a7 
Implement a custom session interface that never sets session cookies
on API requests

Fixes freedomofpress#3876
rjmackay added a commit to rjmackay/securedrop that referenced this issue Nov 24, 2018
@rjmackay
Never set session cookies for API requests
639ce21 
Implement a custom session interface that never sets session cookies
on API requests

Fixes freedomofpress#3876
@rjmackay rjmackay mentioned this issue Nov 24, 2018
Merged
5 tasks
rjmackay added a commit to rjmackay/securedrop that referenced this issue Nov 25, 2018
@rjmackay
Never set session cookies for API requests
bb835d0 
Implement a custom session interface that never sets session cookies
on API requests

Fixes freedomofpress#3876
rjmackay added a commit to rjmackay/securedrop that referenced this issue Dec 2, 2018
@rjmackay
Never set session cookies for API requests
112d532 
Implement a custom session interface that doesn't save sessions
for API requests

Fixes freedomofpress#3876
rjmackay added a commit to rjmackay/securedrop that referenced this issue Dec 2, 2018
@rjmackay
Never set session cookies for API requests
78fcc2b 
Implement a custom session interface that doesn't save sessions
for API requests

Fixes freedomofpress#3876
rjmackay added a commit to rjmackay/securedrop that referenced this issue Dec 7, 2018
@rjmackay
Never set session cookies for API requests
97b7f4b 
Implement a custom session interface that doesn't save sessions
for API requests

Fixes freedomofpress#3876
@emkll emkll mentioned this issue Feb 19, 2019
Closed
17 tasks
kushaldas pushed a commit that referenced this issue Sep 25, 2019
@rjmackay @kushaldas
Never set session cookies for API requests
4951de3 
Implement a custom session interface that doesn't save sessions
for API requests

Fixes #3876
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
able to reproduce app bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@heartsucker @vivekanand1101