Default SameSite session cookie setting to Lax (#824)

CTFd/config.py

@@ -93,6 +93,7 @@ class Config(object):
         solely on IP addresses unless you know what you are doing.
     '''
     SESSION_COOKIE_HTTPONLY = (not os.getenv("SESSION_COOKIE_HTTPONLY"))  # Defaults True
+    SESSION_COOKIE_SAMESITE = os.getenv("SESSION_COOKIE_SAMESITE") or 'Lax'
     PERMANENT_SESSION_LIFETIME = int(os.getenv("PERMANENT_SESSION_LIFETIME") or 604800)  # 7 days in seconds
     TRUSTED_PROXIES = [
         r'^127\.0\.0\.1$',

CTFd/utils/sessions/__init__.py

@@ -88,6 +88,7 @@ class CachingSessionInterface(SessionInterface):
             httponly = self.get_cookie_httponly(app)
             secure = self.get_cookie_secure(app)
             expires = self.get_expiration_time(app, session)
+            samesite = self.get_cookie_samesite(app)
             val = self.serializer.dumps(dict(session))
 
             if session.sid is None:
@@ -102,5 +103,6 @@ class CachingSessionInterface(SessionInterface):
                 httponly=httponly,
                 domain=domain,
                 path=path,
-                secure=secure
+                secure=secure,
+                samesite=samesite
             )

tests/utils/test_sessions.py

@@ -0,0 +1,21 @@
+from tests.helpers import *
+
+
+def test_sessions_set_httponly():
+    app = create_ctfd()
+    with app.app_context():
+        with app.test_client() as client:
+            r = client.get('/')
+            cookie = dict(r.headers)['Set-Cookie']
+            assert 'HttpOnly;' in cookie
+    destroy_ctfd(app)
+
+
+def test_sessions_set_samesite():
+    app = create_ctfd()
+    with app.app_context():
+        with app.test_client() as client:
+            r = client.get('/')
+            cookie = dict(r.headers)['Set-Cookie']
+            assert 'SameSite=' in cookie
+    destroy_ctfd(app)