SameSite cookie hanlders in SamlSessionMiddleware - thanks to Andre Borie for guidelines

Author: peppelinux

.coverage

@@ -68,7 +68,7 @@ do to make sure it is compatible with your Django version and environment.
   you run any other Django application test suite. Just type ``python manage.py
   test djangosaml2``.
 
-  Python 2 users need to ``pip install djangosaml2[test]`` in order to run the
+  Python users need to ``pip install djangosaml2[test]`` in order to run the
   tests.
 
 Then you have to add the ``djangosaml2.backends.Saml2Backend``
@@ -106,6 +106,10 @@ If you want to allow several authentication mechanisms in your project
 you should set the LOGIN_URL option to another view and put a link in such
 view to the ``/saml2/login/`` view.
 
+Add the SAML Session Middleware as follow::
+
+  MIDDLEWARE.append('djangosaml2.middleware.SamlSessionMiddleware')
+
 Handling Post-Login Redirects
 -----------------------------
 It is often desireable for the client to maintain the URL state (or at least manage it) so that
@@ -116,11 +120,11 @@ host matches the output of get_host().  However, in some cases it becomes desire
 hostnames to be used for the post-login redirect.  In such cases, the setting::
 
   SAML_ALLOWED_HOSTS = []
-  
+
 May be set to a list of allowed post-login redirect hostnames (note, the URL components beyond the hostname
-may be specified by the client - typically with the ?next= parameter.) 
+may be specified by the client - typically with the ?next= parameter.)
 
-In the absence of a ?next= parameter, the LOGIN_REDIRECT_URL setting will be used (assuming the destination hostname 
+In the absence of a ?next= parameter, the LOGIN_REDIRECT_URL setting will be used (assuming the destination hostname
 either matches the output of get_host() or is included in the SAML_ALLOWED_HOSTS setting)
 
 
@@ -205,11 +209,11 @@ We will see a typical configuration for protecting a Django project::
                 },
              # Mandates that the identity provider MUST authenticate the
              # presenter directly rather than rely on a previous security context.
-            'force_authn': False, 
-            
+            'force_authn': False,
+
              # Enable AllowCreate in NameIDPolicy.
             'name_id_format_allow_create': False,
-            
+
              # attributes that this project need to identify a user
             'required_attributes': ['uid'],
 
@@ -327,6 +331,15 @@ setting::
   SAML_CONFIG_LOADER = 'python.path.to.your.callable'
 
 
+SameSite cookie
+...............
+
+By default, djangosaml2 handle the saml2 session in a separate cookie.
+The storage linked to it is accessible by default at `request.saml_session`.
+You can even configure this using::
+
+  SAML_SESSION_COOKIE_NAME = 'saml_session'
+
 Custom error handler
 ....................
 
@@ -544,12 +557,16 @@ Unit tests
 You can also run the unit tests as follows::
 
   pip install -r requirements-dev.txt
+  # or
+  pip install djangosaml2[test]
   python3 tests/manage.py migrate
-  
+
+then::
+
   python tests/run_tests.py
 
 or::
-  
+
   cd tests/
   ./manage.py test djangosaml2
 

README.rst

@@ -63,6 +63,9 @@ def delete(self, saml2_session_id):
             del self._db[saml2_session_id]
             self._db.sync()
 
+    def sync(self):
+        self._db.sync()
+
 
 class IdentityCache(Cache):
     """Handles information about the users that have been succesfully

djangosaml2/cache.py

@@ -0,0 +1,73 @@
+import time
+from importlib import import_module
+
+from django.conf import settings
+from django.contrib.sessions.backends.base import UpdateError
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.core.exceptions import SuspiciousOperation
+from django.utils.cache import patch_vary_headers
+from django.utils.http import http_date
+
+
+class SamlSessionMiddleware(SessionMiddleware):
+    session_name = getattr(settings, 'SAML_SESSION_COOKIE_NAME', 'saml_session')
+
+    def process_request(self, request):
+        session_key = request.COOKIES.get(self.session_name, None)
+        setattr(request, self.session_name, self.SessionStore(session_key))
+
+    def process_response(self, request, response):
+        """
+        If request.saml_session was modified, or if the configuration is to save the
+        session every time, save the changes and set a session cookie or delete
+        the session cookie if the session has been emptied.
+        """
+        try:
+            accessed = getattr(request, self.session_name).accessed
+            modified = getattr(request, self.session_name).modified
+            empty = getattr(request, self.session_name).is_empty()
+        except AttributeError:
+            return response
+        # First check if we need to delete this cookie.
+        # The session should be deleted only if the session is entirely empty.
+        if self.session_name in request.COOKIES and empty:
+            response.delete_cookie(
+                self.session_name,
+                path=settings.SESSION_COOKIE_PATH,
+                domain=settings.SESSION_COOKIE_DOMAIN,
+                samesite=None,
+            )
+            patch_vary_headers(response, ('Cookie',))
+        else:
+            if accessed:
+                patch_vary_headers(response, ('Cookie',))
+            if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
+                if request.session.get_expire_at_browser_close():
+                    max_age = None
+                    expires = None
+                else:
+                    max_age = getattr(request, self.session_name).get_expiry_age()
+                    expires_time = time.time() + max_age
+                    expires = http_date(expires_time)
+                # Save the session data and refresh the client cookie.
+                # Skip session save for 500 responses, refs #3881.
+                if response.status_code != 500:
+                    try:
+                        getattr(request, self.session_name).save()
+                    except UpdateError:
+                        raise SuspiciousOperation(
+                            "The request's session was deleted before the "
+                            "request completed. The user may have logged "
+                            "out in a concurrent request, for example."
+                        )
+                    response.set_cookie(
+                        self.session_name,
+                        getattr(request, self.session_name).session_key,
+                        max_age=max_age,
+                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
+                        path=settings.SESSION_COOKIE_PATH,
+                        secure=settings.SESSION_COOKIE_SECURE or None,
+                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
+                        samesite=None
+                    )
+        return response

djangosaml2/middleware.py

@@ -88,7 +88,7 @@ def remove_variable_attributes(xml_string):
                 xml_string)
 
             return xml_string
-        
+
         self.assertEqual(remove_variable_attributes(real_xml),
                          remove_variable_attributes(expected_xmls))
 
@@ -129,7 +129,7 @@ def test_unsigned_post_authn_request(self):
         response_parser = SAMLPostFormParser()
         response_parser.feed(response.content.decode('utf-8'))
         saml_request = response_parser.saml_request_value
-        
+
         self.assertIsNotNone(saml_request)
         if 'AuthnRequest xmlns' not in base64.b64decode(saml_request).decode('utf-8'):
             raise Exception('test_unsigned_post_authn_request: Not a valid AuthnRequest')
@@ -149,7 +149,7 @@ def test_login_evil_redirect(self):
         response = self.client.get(reverse('saml2_login') + '?next=http://evil.com')
         url = urlparse(response['Location'])
         params = parse_qs(url.query)
-        
+
         self.assertEqual(params['RelayState'], [settings.LOGIN_REDIRECT_URL, ])
 
     def test_login_one_idp(self):
@@ -171,7 +171,7 @@ def test_login_one_idp(self):
         params = parse_qs(url.query)
         self.assertIn('SAMLRequest', params)
         self.assertIn('RelayState', params)
-        
+
         saml_request = params['SAMLRequest'][0]
         if 'AuthnRequest xmlns' not in decode_base64_and_inflate(saml_request).decode('utf-8'):
             raise Exception('Not a valid AuthnRequest')
@@ -182,7 +182,7 @@ def test_login_one_idp(self):
         response = self.client.get(reverse('saml2_login'), {'next': next})
         self.assertEqual(response.status_code, 302)
         location = response['Location']
-        
+
         url = urlparse(location)
         self.assertEqual(url.hostname, 'idp.example.com')
         self.assertEqual(url.path, '/simplesaml/saml2/idp/SSOService.php')
@@ -359,12 +359,12 @@ def test_logout(self):
         self.assertIn('SAMLRequest', params)
 
         saml_request = params['SAMLRequest'][0]
-                                      
+
         if 'LogoutRequest xmlns' not in decode_base64_and_inflate(saml_request).decode('utf-8'):
             raise Exception('Not a valid LogoutRequest')
 
-        
-        
+
+
     def test_logout_service_local(self):
         settings.SAML_CONFIG = conf.create_conf(
             sp_host='sp.example.com',
@@ -435,7 +435,7 @@ def test_logout_service_global(self):
         params = parse_qs(url.query)
         self.assertIn('SAMLResponse', params)
         saml_response = params['SAMLResponse'][0]
-        
+
         if 'Response xmlns' not in decode_base64_and_inflate(saml_response).decode('utf-8'):
             raise Exception('Not a valid Response')
 
@@ -636,7 +636,10 @@ def test_custom_conf_loader_from_view(self):
         request.user = AnonymousUser()
         middleware = SessionMiddleware()
         middleware.process_request(request)
-        request.session.save()
+
+        saml_session_name = getattr(settings, 'SAML_SESSION_COOKIE_NAME', 'saml_session')
+        getattr(request, saml_session_name).save()
+
         response = views.login(request, config_loader_path)
         self.assertEqual(response.status_code, 302)
         location = response['Location']

djangosaml2/tests/__init__.py

@@ -95,3 +95,7 @@ def validate_referral_url(request, url):
         return settings.LOGIN_REDIRECT_URL
     else:
         return url
+
+def get_saml_request_session(request):
+    session_name = getattr(settings, 'SAML_SESSION_COOKIE_NAME', 'saml_session')
+    return getattr(request, session_name)

djangosaml2/utils.py

@@ -53,7 +53,7 @@
 from .signals import post_authenticated
 from .utils import (available_idps, fail_acs_response, get_custom_setting,
                     get_idp_sso_supported_bindings, get_location,
-                    validate_referral_url)
+                    validate_referral_url, get_saml_request_session)
 
 try:
     from django.contrib.auth.views import LogoutView
@@ -246,10 +246,11 @@ def login(request,
     else:
         raise UnsupportedBinding('Unsupported binding: %s', binding)
 
+    saml_session = get_saml_request_session(request)
     # success, so save the session ID and return our response
-    logger.debug('Saving the session_id in the OutstandingQueries cache')
-    oq_cache = OutstandingQueriesCache(request.session)
+    oq_cache = OutstandingQueriesCache(saml_session)
     oq_cache.set(session_id, came_from)
+    logger.debug('Saving the session_id "{}" in the OutstandingQueries cache'.format(oq_cache.__dict__))
     return http_response
 
 
@@ -286,9 +287,10 @@ def post(self,
             logger.warning('Missing "SAMLResponse" parameter in POST data.')
             raise SuspiciousOperation
 
-        client = Saml2Client(conf, identity_cache=IdentityCache(self.request.session))
-
-        oq_cache = OutstandingQueriesCache(self.request.session)
+        saml_session = get_saml_request_session(request)
+        client = Saml2Client(conf, identity_cache=IdentityCache(saml_session))
+        oq_cache = OutstandingQueriesCache(saml_session)
+        oq_cache.sync()
         outstanding_queries = oq_cache.outstanding_queries()
 
         try:
@@ -343,7 +345,7 @@ def post(self,
             return fail_acs_response(request, exception=PermissionDenied('No user could be authenticated.'))
 
         auth.login(self.request, user)
-        _set_subject_id(self.request.session, session_info['name_id'])
+        _set_subject_id(saml_session, session_info['name_id'])
         logger.debug("User %s authenticated via SSO.", user)
         logger.debug('Sending the post_authenticated signal')
 
@@ -403,12 +405,13 @@ def echo_attributes(request,
                     config_loader_path=None,
                     template='djangosaml2/echo_attributes.html'):
     """Example view that echo the SAML attributes of an user"""
-    state = StateCache(request.session)
+    saml_session = get_saml_request_session(request)
+    state = StateCache(saml_session)
     conf = get_config(config_loader_path, request)
 
     client = Saml2Client(conf, state_cache=state,
-                         identity_cache=IdentityCache(request.session))
-    subject_id = _get_subject_id(request.session)
+                         identity_cache=IdentityCache(saml_session))
+    subject_id = _get_subject_id(saml_session)
     try:
         identity = client.users.get_identity(subject_id,
                                              check_not_on_or_after=False)
@@ -425,12 +428,13 @@ def logout(request, config_loader_path=None):
     This view initiates the SAML2 Logout request
     using the pysaml2 library to create the LogoutRequest.
     """
-    state = StateCache(request.session)
+    saml_session = get_saml_request_session(request)
+    state = StateCache(saml_session)
     conf = get_config(config_loader_path, request)
 
     client = Saml2Client(conf, state_cache=state,
-                         identity_cache=IdentityCache(request.session))
-    subject_id = _get_subject_id(request.session)
+                         identity_cache=IdentityCache(saml_session))
+    subject_id = _get_subject_id(saml_session)
     if subject_id is None:
         logger.warning(
             'The session does not contain the subject id for user %s',
@@ -508,9 +512,10 @@ def do_logout_service(request, data, binding, config_loader_path=None, next_page
     logger.debug('Logout service started')
     conf = get_config(config_loader_path, request)
 
-    state = StateCache(request.session)
+    saml_session = get_saml_request_session(request)
+    state = StateCache(saml_session)
     client = Saml2Client(conf, state_cache=state,
-                         identity_cache=IdentityCache(request.session))
+                         identity_cache=IdentityCache(saml_session))
 
     if 'SAMLResponse' in data:  # we started the logout
         logger.debug('Receiving a logout response from the IdP')
@@ -520,7 +525,7 @@ def do_logout_service(request, data, binding, config_loader_path=None, next_page
 
     elif 'SAMLRequest' in data:  # logout started by the IdP
         logger.debug('Receiving a logout request from the IdP')
-        subject_id = _get_subject_id(request.session) if hasattr(request, 'session') else None
+        subject_id = _get_subject_id(saml_session)
 
         if subject_id is None:
             logger.warning(