2014-01-21 07:00:23 +08:00
|
|
|
development:
|
|
|
|
session_store: encrypted_cookie_store
|
|
|
|
expire_after: 86400 # 1 day in seconds
|
Use same_site none for session store for relative file links
fixes LA-637
flag=none
Test plan
- Verify that as long as you don't have a
separate files domain, you can't reproduce
this issue in dev (should just work out of
the box)
- Install puma-dev from github.com/puma/puma-dev
- Follow the Set up instructions, but configure
at least 1 extra domain (.test and something else
with the -d switch, it looks like `puma-dev -install -d
test:files`)
- Make sure to get the symlink set up
- Add `export THREADS=1` to ~/.powconfig
- In Canvas, in domain.yml under development, add a
files_domain that has the same app name, but a
different domain (ie I set up my domain as
canvas-lms.test and my files domain as
canvas-lms.files), if you switch back to not using
puma-dev, you will need to change these back to
what they were
- Also add ssl: true
- In session_store.yml under development, add secure: true
- To start, set up puma-dev in launchctl `launchctl
load ~/Library/LaunchAgents/io.puma.dev.plist`
- To view the server logs, use `less -R log/development.log`
and then F
- To have Chrome accept the certificates, open your Keychain
Access (on MacOS) and move the Puma-dev CA to System
- Create an HTML file that has a link like 'other_file.jpg'
and upload both files to a Canvas course in the same folder
- In Chrome, turn on the flags for same site by default cookies
and cookies without samesite must be secure
- Open the file and ensure that it is showing the linked
file, and that it is serving it from another domain
- Get an old version of Safari somehow (XCode or otherwise)
(version on iOS 12 will do it) and verify you can
still log in to Canvas
Change-Id: I84e62cc16e3730ffb6bc2d4d7de9b772eedf260e
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/227939
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Mysti Lilla <mysti@instructure.com>
2020-02-25 04:52:55 +08:00
|
|
|
# secure: true
|
2014-01-21 07:00:23 +08:00
|
|
|
|
2011-03-15 04:04:31 +08:00
|
|
|
production:
|
2014-01-21 07:00:23 +08:00
|
|
|
session_store: encrypted_cookie_store
|
2011-03-15 05:12:09 +08:00
|
|
|
expire_after: 86400 # 1 day in seconds
|
2011-05-25 03:46:16 +08:00
|
|
|
# uncomment this option if your canvas install is over HTTPS, and the cookies
|
|
|
|
# will be SSL-only
|
|
|
|
#
|
|
|
|
# secure: true
|
2011-03-23 07:02:27 +08:00
|
|
|
#
|
make "stay logged in" use a one-time token
closes #6382
Previously, the "stay logged in" cookie just used the authlogic default
implementation, which is the pseudonym persistence_token. This is a
problem, because that persistence_token only ever changes when the
pseudonym password changes, so it's the same everywhere; so if that
cookie is stolen, it's valid for a very long time.
This switches us to one-time-use tokens that expire as soon as the token
logs the user in once. Each user agent also gets a different
one-time-use token.
Change-Id: I4f20cd7759fd74590e82ed55797552e342243d49
testplan:
* Check that no token is set at all when "stay logged in" isn't
selected.
* Check "stay logged in", and verify:
* That you don't have to login again after restarting your browser,
but your _normandy_session got reset.
* That if you save and try to replay using the same
pseudonym_credentials, they don't work the second time.
* That a second browser will get a different pseudonym_credentials
value, and using one token doesn't affect the other.
* That once the token is used, a new one is generated and set in
your cookies. Verify this new token works as well.
* That logging out removes the pseudonym_credentials cookie in your
browser. And also that manually restoring this cookie still
doesn't log you in, since it was removed server-side as well.
* Change your password, and verify that the existing "stay logged in"
tokens no longer work.
* Delete your pseudonym, and verify the same.
Reviewed-on: https://gerrit.instructure.com/7093
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>
2011-11-22 05:20:48 +08:00
|
|
|
# change the time that "stay logged in" tokens are valid for, defaults to 1 month
|
|
|
|
#
|
|
|
|
# expire_remember_me_after: 2592000
|
2011-11-22 03:42:51 +08:00
|
|
|
|
|
|
|
test:
|
2014-01-21 07:00:23 +08:00
|
|
|
session_store: encrypted_cookie_store
|
2011-11-22 03:42:51 +08:00
|
|
|
expire_after: 86400 # 1 day in seconds
|