[GeoNode-devel] Reg: Use of httponly flag for cookie in GeoNode
Naresh N
naresh919 at gmail.com
Tue Aug 20 21:47:47 PDT 2019
Dear Alessio,
I have done the changes in my local environment of GeoNode. Please find
the details below.
* ISSUE :* *Use of HttpOnly flag for CSRF cookie*
* (i). *Set the flag in Settings.py * CSRF_COOKIE_HTTPONLY=True*
* (ii) *In the following all files CSRF token value read from *Cookie code
is commented* and *added the new code* which reads CSRF token value with i*nput
hidden field * name with *csrfmiddlewaretoken*
* a.*
/usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
b.. /home/geonode/geonode/static_root/pinax/js/theme.js
c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
d../home/geonode/geonode/static_root/pinax/js/theme.js
e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
*The following functions code from above files is modified to var
csrftoken = jQuery("[name=csrfmiddlewaretoken]").val(); return csrftoken;*
*getCRSFToken*: function() {
var csrfToken, csrfMatch = document.cookie.match(/csrftoken=(\w+)/);
if (csrfMatch && csrfMatch.length > 0) {
csrfToken = csrfMatch[1];
}
return csrfToken;
},
f*unction getCookie(name)* {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = $.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookievalue;
}
Thanks&Regards,
Naresh.n
On Tue, Aug 20, 2019 at 5:34 PM Alessio Fabiani <
alessio.fabiani at geo-solutions.it> wrote:
> Any chance to send a Pull Request to GeoNode along with the issue
> description?
>
> Il giorno mar 20 ago 2019 alle ore 13:05 Naresh N <naresh919 at gmail.com>
> ha scritto:
>
>> Dear All,
>>
>> I could able to resolve the issue. The following changes are done.
>>
>> 1. Settings.py * CSRF_COOKIE_HTTPONLY=True*
>> *2.* In following files *X-CSRFToken* value is assigned using the var
>> csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
>>
>> a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
>> b.. /home/geonode/geonode/static_root/pinax/js/theme.js
>> c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
>> d../home/geonode/geonode/static_root/pinax/js/theme.js
>> e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
>> f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
>>
>> Thanks&Regards,
>> Naresh.N
>>
>> On Mon, Aug 19, 2019 at 3:05 PM Naresh N <naresh919 at gmail.com> wrote:
>>
>>> Dear all,
>>>
>>> The following changes are made to enable HTTPOnly flag for cookies
>>>
>>> 1. In settings.py * CSRF_COOKIE_HTTPONLY=True*
>>> 2.* X-CSRFToken* value is set using the jquery -- *var csrftoken =
>>> jQuery("[name=csrfmiddlewaretoken]").val();*
>>>
>>> After doing the above changes layers are not getting upload and showing
>>> CSRF validation failed. Please find the attached screenshot with this mail.
>>>
>>> Kindly help me to fix the issue. Apart from above mentioned places is
>>> any other places need changes?
>>>
>>> Thanks&Regards,
>>> Naresh.N
>>>
>>>
>>> On Fri, Aug 16, 2019 at 1:46 PM Naresh N <naresh919 at gmail.com> wrote:
>>>
>>>> Dear All,
>>>>
>>>> Kindly help on regarding httponly flag for cookie use in GeoNode.
>>>>
>>>> Thanks&Regards,
>>>> Naresh.N
>>>>
>>>> On Wed, Aug 14, 2019 at 3:03 PM Naresh N <naresh919 at gmail.com> wrote:
>>>>
>>>>> Dear All,
>>>>>
>>>>> We have used GeoNode for development of our portal.
>>>>> As a part of security measures,we have to use cookie set with
>>>>> httponly flag. I have enabled the flag CSRF_COOKIE_HTTPONLY as true in
>>>>> settings.py, then* upload layers* and other *ajax_requsts functions
>>>>> are not working.*
>>>>>
>>>>> Please suggest how to over come this. Which are all the places need to
>>>>> modify the code.
>>>>>
>>>>> Thanks&Regards,
>>>>> Naresh.N
>>>>>
>>>>
>
> --
>
> ==
>
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
> Ing. Alessio Fabiani
>
> @alfa7691
> Founder/Technical Lead
>
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A - 55054 Massarosa (LU) - Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39 331 6233686
>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
> -------------------------------------------------------
>
> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>
>
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged, confidential or
> otherwise protected from disclosure. We remind that - as provided by
> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
> e-mail or the information herein by anyone other than the intended
> recipient is prohibited. If you have received this email by mistake, please
> notify us immediately by telephone or e-mail.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20190821/f8892487/attachment-0001.html>
More information about the geonode-devel
mailing list