Skip to content

fix: Add missing security settings for session cookie #53542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vincbeck merged 1 commit into from
Aug 1, 2025
Merged

fix: Add missing security settings for session cookie #53542

vincbeck merged 1 commit into from
Aug 1, 2025

Conversation

@LipuFei
Copy link
Contributor

@LipuFei LipuFei commented Jul 19, 2025
edited
Loading

Add the following security-related session cookie settings that was missing:

  • SESSION_COOKIE_HTTPONLY = True
  • SESSION_COOKIE_SECURE comes from config [fab] COOKIE_SECURE
  • SESSION_COOKIE_SAMESITE comes from config [fab] COOKIE_SAMESITE
  • config [webserver] COOKIE_SECURE is renamed to [fab] COOKIE_SECURE
  • config [webserver] COOKIE_SAMESITE is renamed to [fab] COOKIE_SAMESITE

We may want to change the config location because this is now in api-server in 3.0?

@LipuFei LipuFei requested a review from vincbeck as a code owner July 19, 2025 16:04
@LipuFei LipuFei force-pushed the fix/session_cookie branch 4 times, most recently from 1f8602d to 5c4742a Compare July 19, 2025 19:25
@vincbeck
Copy link
Contributor

vincbeck commented Jul 21, 2025

We marked these configs as deleted in airflow-ctl/src/airflowctl/ctl/commands/config_command.py. If we want to use them back, we should them remove them from airflow-ctl/src/airflowctl/ctl/commands/config_command.py as well.

@LipuFei
Copy link
Contributor Author

LipuFei commented Jul 22, 2025

We marked these configs as deleted in airflow-ctl/src/airflowctl/ctl/commands/config_command.py. If we want to use them back, we should them remove them from airflow-ctl/src/airflowctl/ctl/commands/config_command.py as well.

Hi @vincelevey , I don't necessarily need these options back, but I found that with self-hosting, the api-server doesn't have these options on by default. I can see from Firefox that my session cookie is not HTTP-only, and not secure, etc.

Perhaps you know a better way to have them configured in api-server in 3.0?

I currently just add these 3 options in the api-server config python file via the Helm chart values, and it works. I think it would be great if these options can be set more transparently.

@vincbeck
Copy link
Contributor

vincbeck commented Jul 30, 2025

We marked these configs as deleted in airflow-ctl/src/airflowctl/ctl/commands/config_command.py. If we want to use them back, we should them remove them from airflow-ctl/src/airflowctl/ctl/commands/config_command.py as well.

Hi @vincelevey , I don't necessarily need these options back, but I found that with self-hosting, the api-server doesn't have these options on by default. I can see from Firefox that my session cookie is not HTTP-only, and not secure, etc.

Perhaps you know a better way to have them configured in api-server in 3.0?

I currently just add these 3 options in the api-server config python file via the Helm chart values, and it works. I think it would be great if these options can be set more transparently.

You are using these config so you need them back and I think this is okay. You are using these configs conf.getboolean("webserver", "COOKIE_SECURE") and conf.get("webserver", "COOKIE_SAMESITE"). I think the right approach would be to move these config to Fab provider because they are specific to Fab. Once done you would need to update airflow-core/src/airflow/cli/commands/config_command.py and airflow-ctl/src/airflowctl/ctl/commands/config_command.py to no longer mark them as deleted but moved from webserver to fab. This PR is a good example on how to do that.

@LipuFei
Copy link
Contributor Author

LipuFei commented Jul 30, 2025

We marked these configs as deleted in airflow-ctl/src/airflowctl/ctl/commands/config_command.py. If we want to use them back, we should them remove them from airflow-ctl/src/airflowctl/ctl/commands/config_command.py as well.

Hi @vincelevey , I don't necessarily need these options back, but I found that with self-hosting, the api-server doesn't have these options on by default. I can see from Firefox that my session cookie is not HTTP-only, and not secure, etc.

Perhaps you know a better way to have them configured in api-server in 3.0?

I currently just add these 3 options in the api-server config python file via the Helm chart values, and it works. I think it would be great if these options can be set more transparently.

You are using these config so you need them back and I think this is okay. You are using these configs conf.getboolean("webserver", "COOKIE_SECURE") and conf.get("webserver", "COOKIE_SAMESITE"). I think the right approach would be to move these config to Fab provider because they are specific to Fab. Once done you would need to update airflow-core/src/airflow/cli/commands/config_command.py and airflow-ctl/src/airflowctl/ctl/commands/config_command.py to no longer mark them as deleted but moved from webserver to fab. This PR is a good example on how to do that.

Thank you. I will check that PR and update my changes.

@LipuFei LipuFei force-pushed the fix/session_cookie branch 2 times, most recently from f358a37 to b28ee8f Compare July 31, 2025 22:33
@LipuFei LipuFei force-pushed the fix/session_cookie branch from b28ee8f to af273a2 Compare August 1, 2025 09:01
vin100bk
vin100bk approved these changes Aug 1, 2025
View reviewed changes
Copy link

@vin100bk vin100bk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for taking the time to update the PR :) Much appreciated

vincbeck
vincbeck approved these changes Aug 1, 2025
View reviewed changes
Copy link
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for taking the time to update the PR :) Much appreciated

@vincbeck vincbeck merged commit fa09189 into apache:main Aug 1, 2025
72 checks passed
@LipuFei LipuFei deleted the fix/session_cookie branch August 1, 2025 14:34
@eladkal eladkal mentioned this pull request Aug 7, 2025
Closed
40 tasks
ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Aug 7, 2025
@LipuFei @ferruzzi
fix: Add FAB configs for cookie security (apache#53542)
129a7b4
fweilun pushed a commit to fweilun/airflow that referenced this pull request Aug 11, 2025
@LipuFei @fweilun
fix: Add FAB configs for cookie security (apache#53542)
3466d49
@LipuFei LipuFei mentioned this pull request Aug 27, 2025
Merged
@snowsky
Copy link

snowsky commented Dec 16, 2025
edited
Loading

Will this fix be included in the next release? Thanks!

Update: a quick question, not sure if this issue is related, #47878, which will be released in 3.2.0.

@vincbeck
Copy link
Contributor

vincbeck commented Dec 16, 2025

Will this fix be included in the next release? Thanks!

It is mostly a provider change so this is already released in the latest fab provider version

@snowsky
Copy link

snowsky commented Dec 18, 2025

Will this fix be included in the next release? Thanks!

It is mostly a provider change so this is already released in the latest fab provider version

Is this env var still valid AIRFLOW__WEBSERVER__COOKIE_SECURE? I saw it was introduced in version 1.3 but didn't find it in version 3 docs.

@vincbeck
Copy link
Contributor

vincbeck commented Jan 5, 2026

It is now AIRFLOW__FAB__COOKIE_SECURE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck approved these changes

+1 more reviewer

@vin100bk vin100bk vin100bk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area:providers provider:fab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LipuFei @vincbeck @snowsky @vin100bk