Skip to content
Snippets Groups Projects
Verified Commit 929b5018 authored by Eliot Berriot's avatar Eliot Berriot
Browse files

Now reset cookie on profile fetch, to avoid CSRF bugs

parent cd22601f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
api/config/settings/common.py
+ 1
1
View file @ 929b5018
...@@ -292,7 +292,7 @@ AUTHENTICATION_BACKENDS = ( ...@@ -292,7 +292,7 @@ AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend', 'django.contrib.auth.backends.ModelBackend',
'allauth.account.auth_backends.AuthenticationBackend', 'allauth.account.auth_backends.AuthenticationBackend',
) )
SESSION_COOKIE_HTTPONLY = False
# Some really nice defaults # Some really nice defaults
ACCOUNT_AUTHENTICATION_METHOD = 'username_email' ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
ACCOUNT_EMAIL_REQUIRED = True ACCOUNT_EMAIL_REQUIRED = True
......
front/src/store/auth.js
+ 5
0
View file @ 929b5018
...@@ -97,6 +97,11 @@ export default { ...@@ -97,6 +97,11 @@ export default {
} }
}, },
fetchProfile ({commit, dispatch, state}) { fetchProfile ({commit, dispatch, state}) {
if (document) {
// this is to ensure we do not have any leaking cookie set by django
document.cookie = 'sessionid=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;'
}
return axios.get('users/users/me/').then((response) => { return axios.get('users/users/me/').then((response) => {
logger.default.info('Successfully fetched user profile') logger.default.info('Successfully fetched user profile')
let data = response.data let data = response.data
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment