From 929b50183a486ae84827b9058b5c27e0c08278e3 Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Sun, 6 May 2018 11:20:18 +0200
Subject: [PATCH] Now reset cookie on profile fetch, to avoid CSRF bugs

---
 api/config/settings/common.py | 2 +-
 front/src/store/auth.js       | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 50bc52fe..2e9421e7 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -292,7 +292,7 @@ AUTHENTICATION_BACKENDS = (
     'django.contrib.auth.backends.ModelBackend',
     'allauth.account.auth_backends.AuthenticationBackend',
 )
-
+SESSION_COOKIE_HTTPONLY = False
 # Some really nice defaults
 ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
 ACCOUNT_EMAIL_REQUIRED = True
diff --git a/front/src/store/auth.js b/front/src/store/auth.js
index b1753404..68a15090 100644
--- a/front/src/store/auth.js
+++ b/front/src/store/auth.js
@@ -97,6 +97,11 @@ export default {
       }
     },
     fetchProfile ({commit, dispatch, state}) {
+      if (document) {
+        // this is to ensure we do not have any leaking cookie set by django
+        document.cookie = 'sessionid=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;'
+      }
+
       return axios.get('users/users/me/').then((response) => {
         logger.default.info('Successfully fetched user profile')
         let data = response.data
-- 
GitLab