Re: Reg: Use of httponly flag for cookie in GeoNode

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Reg: Use of httponly flag for cookie in GeoNode

naresh
Dear All,

Kindly help on regarding httponly flag for cookie use in GeoNode.

Thanks&Regards,
Naresh.N

On Wed, Aug 14, 2019 at 3:03 PM Naresh N <[hidden email]> wrote:
Dear All,

We have used GeoNode for development of  our portal.
As a part of security measures,we have to use cookie set with httponly  flag.  I have  enabled the flag CSRF_COOKIE_HTTPONLY  as true in settings.py,  then upload layers and other ajax_requsts functions are not working.

Please suggest how to over come this. Which are all the places need to modify the code.

Thanks&Regards,
Naresh.N

_______________________________________________
geonode-devel mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geonode-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reg: Use of httponly flag for cookie in GeoNode

naresh
Dear all,

The following changes are made to enable HTTPOnly flag for cookies

1. In settings.py    CSRF_COOKIE_HTTPONLY=True
2. X-CSRFToken value is set using the  jquery -- var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();

After doing the above changes layers are not getting upload and showing CSRF validation failed. Please find the attached screenshot with this mail.

Kindly  help me to fix the issue. Apart from above mentioned places is any other places need changes?

Thanks&Regards,
Naresh.N


On Fri, Aug 16, 2019 at 1:46 PM Naresh N <[hidden email]> wrote:
Dear All,

Kindly help on regarding httponly flag for cookie use in GeoNode.

Thanks&Regards,
Naresh.N

On Wed, Aug 14, 2019 at 3:03 PM Naresh N <[hidden email]> wrote:
Dear All,

We have used GeoNode for development of  our portal.
As a part of security measures,we have to use cookie set with httponly  flag.  I have  enabled the flag CSRF_COOKIE_HTTPONLY  as true in settings.py,  then upload layers and other ajax_requsts functions are not working.

Please suggest how to over come this. Which are all the places need to modify the code.

Thanks&Regards,
Naresh.N

_______________________________________________
geonode-devel mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geonode-devel

csrf.PNG (278K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Reg: Use of httponly flag for cookie in GeoNode

naresh
Dear All,

I could able to resolve the issue. The following changes are done.

1. Settings.py   CSRF_COOKIE_HTTPONLY=True
2. In following  files X-CSRFToken value is assigned using the  var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
   a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
  b.. /home/geonode/geonode/static_root/pinax/js/theme.js
  c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
  d../home/geonode/geonode/static_root/pinax/js/theme.js
  e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
  f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js

Thanks&Regards,
Naresh.N

On Mon, Aug 19, 2019 at 3:05 PM Naresh N <[hidden email]> wrote:
Dear all,

The following changes are made to enable HTTPOnly flag for cookies

1. In settings.py    CSRF_COOKIE_HTTPONLY=True
2. X-CSRFToken value is set using the  jquery -- var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();

After doing the above changes layers are not getting upload and showing CSRF validation failed. Please find the attached screenshot with this mail.

Kindly  help me to fix the issue. Apart from above mentioned places is any other places need changes?

Thanks&Regards,
Naresh.N


On Fri, Aug 16, 2019 at 1:46 PM Naresh N <[hidden email]> wrote:
Dear All,

Kindly help on regarding httponly flag for cookie use in GeoNode.

Thanks&Regards,
Naresh.N

On Wed, Aug 14, 2019 at 3:03 PM Naresh N <[hidden email]> wrote:
Dear All,

We have used GeoNode for development of  our portal.
As a part of security measures,we have to use cookie set with httponly  flag.  I have  enabled the flag CSRF_COOKIE_HTTPONLY  as true in settings.py,  then upload layers and other ajax_requsts functions are not working.

Please suggest how to over come this. Which are all the places need to modify the code.

Thanks&Regards,
Naresh.N

_______________________________________________
geonode-devel mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geonode-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reg: Use of httponly flag for cookie in GeoNode

Alessio Fabiani-2
Any chance to send a Pull Request to GeoNode along with the issue description?

Il giorno mar 20 ago 2019 alle ore 13:05 Naresh N <[hidden email]> ha scritto:
Dear All,

I could able to resolve the issue. The following changes are done.

1. Settings.py   CSRF_COOKIE_HTTPONLY=True
2. In following  files X-CSRFToken value is assigned using the  var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
   a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
  b.. /home/geonode/geonode/static_root/pinax/js/theme.js
  c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
  d../home/geonode/geonode/static_root/pinax/js/theme.js
  e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
  f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js

Thanks&Regards,
Naresh.N

On Mon, Aug 19, 2019 at 3:05 PM Naresh N <[hidden email]> wrote:
Dear all,

The following changes are made to enable HTTPOnly flag for cookies

1. In settings.py    CSRF_COOKIE_HTTPONLY=True
2. X-CSRFToken value is set using the  jquery -- var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();

After doing the above changes layers are not getting upload and showing CSRF validation failed. Please find the attached screenshot with this mail.

Kindly  help me to fix the issue. Apart from above mentioned places is any other places need changes?

Thanks&Regards,
Naresh.N


On Fri, Aug 16, 2019 at 1:46 PM Naresh N <[hidden email]> wrote:
Dear All,

Kindly help on regarding httponly flag for cookie use in GeoNode.

Thanks&Regards,
Naresh.N

On Wed, Aug 14, 2019 at 3:03 PM Naresh N <[hidden email]> wrote:
Dear All,

We have used GeoNode for development of  our portal.
As a part of security measures,we have to use cookie set with httponly  flag.  I have  enabled the flag CSRF_COOKIE_HTTPONLY  as true in settings.py,  then upload layers and other ajax_requsts functions are not working.

Please suggest how to over come this. Which are all the places need to modify the code.

Thanks&Regards,
Naresh.N


--

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==
Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions S.A.S.
Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686


http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.


This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


_______________________________________________
geonode-devel mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geonode-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reg: Use of httponly flag for cookie in GeoNode

naresh
Dear Alessio,

I have done the changes in my local environment of GeoNode.  Please find the details below.

  ISSUE : Use of HttpOnly flag for CSRF cookie

 (i). Set the flag in Settings.py   CSRF_COOKIE_HTTPONLY=True

 (ii) In the following all files CSRF token value  read from Cookie code is commented and added the new code which reads CSRF token value with input hidden field  name with  csrfmiddlewaretoken
  a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
  b.. /home/geonode/geonode/static_root/pinax/js/theme.js
  c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
  d../home/geonode/geonode/static_root/pinax/js/theme.js
  e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
  f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
     
The following functions code from above files  is modified  to var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val(); return csrftoken;
      
getCRSFToken: function() {
        var csrfToken, csrfMatch = document.cookie.match(/csrftoken=(\w+)/);
        if (csrfMatch && csrfMatch.length > 0) {
            csrfToken = csrfMatch[1];
        }
        return csrfToken;
    },

function getCookie(name) {
        var cookieValue = null;
      if (document.cookie && document.cookie !== '') {
            var cookies = document.cookie.split(';');
            for (var i = 0; i < cookies.length; i++) {
          var cookie = $.trim(cookies[i]);
                // Does this cookie string begin with the name we want?
                if (cookie.substring(0, name.length + 1) == (name + '=')) {
                    cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                    break;
                }
            }
        }
return cookievalue;
    }


Thanks&Regards,
Naresh.n


On Tue, Aug 20, 2019 at 5:34 PM Alessio Fabiani <[hidden email]> wrote:
Any chance to send a Pull Request to GeoNode along with the issue description?

Il giorno mar 20 ago 2019 alle ore 13:05 Naresh N <[hidden email]> ha scritto:
Dear All,

I could able to resolve the issue. The following changes are done.

1. Settings.py   CSRF_COOKIE_HTTPONLY=True
2. In following  files X-CSRFToken value is assigned using the  var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();
   a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-
  b.. /home/geonode/geonode/static_root/pinax/js/theme.js
  c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js
  d../home/geonode/geonode/static_root/pinax/js/theme.js
  e. /home/geonode/geonode/static_root/geonode/js/utils/util.js
  f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js

Thanks&Regards,
Naresh.N

On Mon, Aug 19, 2019 at 3:05 PM Naresh N <[hidden email]> wrote:
Dear all,

The following changes are made to enable HTTPOnly flag for cookies

1. In settings.py    CSRF_COOKIE_HTTPONLY=True
2. X-CSRFToken value is set using the  jquery -- var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();

After doing the above changes layers are not getting upload and showing CSRF validation failed. Please find the attached screenshot with this mail.

Kindly  help me to fix the issue. Apart from above mentioned places is any other places need changes?

Thanks&Regards,
Naresh.N


On Fri, Aug 16, 2019 at 1:46 PM Naresh N <[hidden email]> wrote:
Dear All,

Kindly help on regarding httponly flag for cookie use in GeoNode.

Thanks&Regards,
Naresh.N

On Wed, Aug 14, 2019 at 3:03 PM Naresh N <[hidden email]> wrote:
Dear All,

We have used GeoNode for development of  our portal.
As a part of security measures,we have to use cookie set with httponly  flag.  I have  enabled the flag CSRF_COOKIE_HTTPONLY  as true in settings.py,  then upload layers and other ajax_requsts functions are not working.

Please suggest how to over come this. Which are all the places need to modify the code.

Thanks&Regards,
Naresh.N


--

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==
Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions S.A.S.
Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686


http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.


This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


_______________________________________________
geonode-devel mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/geonode-devel