Support HttpOnly and SameSite for cookies

Make HttpOnly and SameSite configurable for session cookies,
set HttpOnly=True and SameSite='Strict' by default.

Author: Cito

docs/config.rst

@@ -100,6 +100,10 @@ Sessions
     You can specify a path for the session cookie here. ``None`` means that the servlet path will be used, which is normally the best choice. If you rewrite the URL using different prefixes, you may have to specify a fixed prefix for all your URLs. Using the root path '/' will always work, but may have security issues if you are running less secure applications on the same server. Default: ``None``.
 ``SecureSessionCookie``:
     If True, then the Application will use a secure cookie for the session ID if the request was using an HTTPS connection. Default: ``True``.
+``HttpOnlySessionCookie``:
+    If True, then the Application will set the HttpOnly attribute on the session cookie . Default: ``True``.
+``SameSiteSessionCookie``:
+    If not ``None``, then the Application will set this value as the SameSite attribute on the session cookie . Default: ``Strict``.
 ``MaxDynamicMemorySessions``:
     The maximum number of dynamic memory sessions that will be retained in memory. When this number is exceeded, the least recently used, excess sessions will be pushed out to disk. This setting can be used to help control memory requirements, especially for busy sites. This is used only if the ``SessionStore`` is set to ``Dynamic``. Default: ``10000``.
 ``DynamicSessionTimeout``:

webware/Application.py

@@ -112,6 +112,8 @@
     SaveErrorMessages=True,
     SecureSessionCookie=True,
     SessionCookiePath=None,
+    HttpOnlySessionCookie=True,
+    SameSiteSessionCookie='Strict',
     SessionModule='Session',
     SessionName='_SID_',
     SessionPrefix='',

webware/Configs/Application.config

@@ -69,6 +69,8 @@ UseCookieSessions = True
 # If you rewrite the URL, you may need to specify this explicitly:
 SessionCookiePath = None  # the servlet path is used if not specified
 SecureSessionCookie = True  # use a secure cookie for HTTPS connections
+HttpOnlySessionCookie = True  # session cookie should be HttpOnly
+SameSiteSessionCookie = 'Strict'  # set SameSite attribute on session cookie
 
 # Set this to True to allow extra path info to be attached to URLs
 ExtraPathInfo = False  # no extra path info

webware/Cookie.py

@@ -64,12 +64,12 @@ def comment(self):
     def domain(self):
         return self._cookie['domain']
 
-    def maxAge(self):
-        return self._cookie['max-age']
-
     def expires(self):
         return self._cookie['expires']
 
+    def maxAge(self):
+        return self._cookie['max-age']
+
     def name(self):
         return self._name
 
@@ -79,6 +79,15 @@ def path(self):
     def isSecure(self):
         return self._cookie['secure']
 
+    def httpOnly(self):
+        return self._cookie['httponly']
+
+    def sameSite(self):
+        try:
+            return self._cookie['samesite']
+        except KeyError:  # Python < 3.8
+            return ''
+
     def value(self):
         return self._value
 
@@ -107,6 +116,12 @@ def setPath(self, path):
     def setSecure(self, secure=True):
         self._cookie['secure'] = secure
 
+    def setHttpOnly(self, httpOnly=True):
+        self._cookie['httponly'] = httpOnly
+
+    def setSameSite(self, sameSite='Strict'):
+        self._cookie['samesite'] = sameSite
+
     def setValue(self, value):
         self._value = value
         self._cookies[self._name] = value

webware/HTTPResponse.py

@@ -406,6 +406,11 @@ def recordSession(self):
         cookie.setPath(app.sessionCookiePath(trans))
         if request.isSecure():
             cookie.setSecure(app.setting('SecureSessionCookie'))
+        if app.setting('HttpOnlySessionCookie'):
+            cookie.setHttpOnly()
+        sameSite = app.setting('SameSiteSessionCookie')
+        if sameSite:
+            cookie.setSameSite(sameSite)
         self.addCookie(cookie)
         if debug:
             print('>> recordSession: Setting SID', identifier)