andrewmusselman opened a new issue, #543:
URL: https://github.com/apache/tooling-trusted-releases/issues/543
## Summary
Session cookie security attributes are not explicitly configured, relying on
external library defaults that cannot be verified.
## ASVS Requirements
- 3.4.1 - Cookie-based session management
- 3.4.2 - Cookie HttpOnly attribute
- 14.3.1 - Cookie security attributes
## Related Audit Reports
- [Weak Cryptography #399](ASVS/weak-cryptography-399.md) - Section 1
- [External Access #400](ASVS/external-access-400.md) - Section 3.4.2
- [Credential Stealing #403](ASVS/credential-stealing-403.md) - Section 4
## Affected Files
- `atr/config.py` - Missing configuration
- `atr/server.py` - Missing configuration
## Current Behavior
No explicit SESSION_COOKIE_* settings found. Session management delegated to
asfquart library.
## Recommended Fix
```python
# In atr/config.py, add to AppConfig class:
class AppConfig:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
SESSION_COOKIE_NAME = '__Host-session' # Additional security with
__Host- prefix
```
## Acceptance Criteria
- [ ] SESSION_COOKIE_SECURE = True
- [ ] SESSION_COOKIE_HTTPONLY = True
- [ ] SESSION_COOKIE_SAMESITE = 'Lax' (or 'Strict')
- [ ] Verify asfquart respects these settings
- [ ] Consider __Host- prefix for additional security
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
