Creating cookies with SameSite and HttpOnly.

Author: rohe

src/oidcendpoint/cookie.py

@@ -390,14 +390,17 @@ def delete_cookie(self, cookie_name=None):
 
         return self.create_cookie("", "", cookie_name=cookie_name, kill=True)
 
-    def create_cookie(self, value, typ, cookie_name=None, ttl=-1, kill=False):
+    def create_cookie(self, value, typ, cookie_name=None, ttl=-1, kill=False,
+                      same_site="", http_only=True):
         """
 
         :param value: Part of the cookie payload
         :param typ: Type of cookie
         :param cookie_name:
         :param ttl: Number of minutes before this cookie goes stale
         :param kill: Whether the the cookie should expire on arrival
+        :param same_site:
+        :param http_only:
         :return: A tuple to be added to headers
         """
         if kill:
@@ -435,6 +438,8 @@ def create_cookie(self, value, typ, cookie_name=None, ttl=-1, kill=False):
             enc_key=self.enc_key,
             max_age=ttl,
             sign_alg=self.sign_alg,
+            same_site=same_site,
+            http_only=http_only,
             **c_args
         )
 
@@ -476,6 +481,8 @@ def append_cookie(
             path=None,
             timestamp="",
             max_age=0,
+            same_site="None",
+            http_only=True
     ):
         """
         Adds a cookie to a SimpleCookie instance
@@ -490,7 +497,8 @@ def append_cookie(
         :param max_age:
         :return:
         """
-        timestamp = str(int(time.time()))
+        if not timestamp:
+            timestamp = str(int(time.time()))
 
         # create cookie payload
         try:
@@ -508,6 +516,8 @@ def append_cookie(
             enc_key=self.enc_key,
             max_age=max_age,
             sign_alg=self.sign_alg,
+            same_site=same_site,
+            http_only=http_only
         )
 
         for name, args in content.items():

src/oidcendpoint/oidc/authorization.py

@@ -610,6 +610,7 @@ def authz_part2(self, user, authn_event, request, **kwargs):
                     as_unicode(_state),
                     typ="session",
                     cookie_name=ec.cookie_name["session_management"],
+                    same_site="None", http_only=False
                 )
 
                 opbs = session_cookie[ec.cookie_name["session_management"]]

tests/test_09_cookie_dealer.py

@@ -3,6 +3,7 @@
 import pytest
 from cryptojwt.jwk.hmac import SYMKey
 from cryptojwt.key_jar import init_key_jar
+
 from oidcendpoint.cookie import CookieDealer
 from oidcendpoint.cookie import append_cookie
 from oidcendpoint.cookie import compute_session_state
@@ -174,6 +175,20 @@ def test_mult_cookie(self):
         assert _value[0] == "value"
         assert _value[2] == "sso"
 
+    def test_mult_cookie_same_site(self):
+        _cookie1 = self.cookie_dealer.create_cookie("value", "sso", same_site="None",
+                                                    http_only=False)
+        _cookie = self.cookie_dealer.append_cookie(
+            _cookie1, "session", "session_state", "session",
+        )
+        assert len(_cookie) == 2
+        _value = self.cookie_dealer.get_cookie_value(_cookie, "session")
+        assert _value[0] == "session_state"
+        assert _value[2] == "session"
+        _value = self.cookie_dealer.get_cookie_value(_cookie, "oidc_op")
+        assert _value[0] == "value"
+        assert _value[2] == "sso"
+
 
 def test_compute_session_state():
     hv = compute_session_state(
@@ -285,4 +300,3 @@ def test_cookie_same_site_none():
     assert kaka['test']["secure"] is True
     assert kaka["test"]["httponly"] is True
     assert kaka["test"]["samesite"] is "None"
-