Skip to Content
Musisz się zarejestrować, aby móc wchodzić w interakcje z tą społecznością.
Wszystkie posty Osoby Odznaki
Tagi (Zobacz wszystko)
odoo accounting v14 pos v15
O tym forum
To pytanie dostało ostrzeżenie
cookiesecuretz
2 Odpowiedzi
3992 Widoki
Awatar
Kevin Kapfer

Where does odoo set the tz cookie?  My security team flagged the cookie as a security finding as it is not marked for httponly or secure.  

For the session_id, I was able to set this in /odoo/odoo-server/odoo/http.py at about line 1409 by setting the session_id like:

set_cookie('session_id', httprequest.session.sid, max_age=1 * 24 * 60 * 60, secure=True, httponly=True)


I am looking for similar code within odoo and am unable to find it.  The closest I've come is in the same file around line 828 where cookies iterated through and set, but 'tz' is not one of them.

res_partner in the base addons folder looks promising, but it's not quite it either.  Maybe I'm overlooking something. 

Awatar
Odrzuć
Awatar
Kevin Kapfer
Autor Najlepsza odpowiedź

What I settled on for now, is to overwrite the tz cookie with the same value, but adding the secure=True and httponly=True attributes.

           user_tz =  httprequest.cookies.get('tz')


            if user_tz:

                response.set_cookie('tz', user_tz, secure=True, httponly=True)

I am doing this in the dispatch function of http.py inside the "try" block of the dispatch method.  This way, the tz remains whatever was derived, but the cookie is updated to use secure and httponly.   I do not see the UI views to which you refer.  

Awatar
Odrzuć
Awatar
Ravi Gadhia
Najlepsza odpowiedź

The timezone cookie doesn't set by server but it's set by javascript (via script)
https://github.com/odoo/odoo/blob/14.0/addons/web/views/webclient_templates.xml#L480

Awatar
Odrzuć
Kevin Kapfer
Autor

Thanks Ravi, I saw the line you refer to. Does a change here require rebuilding the Odoo codebase? I made changes here to add httponly and secure attributes but the changes did not appear in the site. I am now pursuing a path of extracting the partner/user's timezone and explicitly setting a 'tz' cookie with httponly and secure.

Ravi Gadhia

if you change it from the XML file it's needs to rebuild/update the module but you can directly change it from odoo UI from views
check the location protocol in javascript and set the cookie if it's https:

Powiązane posty Odpowiedzi Widoki Czynność
How do I get the Website Cookie bar to popup only once at the home page?
cookie
Awatar
Awatar
1
sty 23
2606
cookies warning on. web site for cloud version Rozwiązane
cookie
Awatar
Awatar
1
lip 20
3061
Can i get the value of session0|session_id using JSON-RPC?
cookie
Awatar
0
mar 15
6990
Domain Cookie issue [RESOLVED]
domain cookie
Awatar
0
paź 24
1072
cannot close cookie bar (?)
cookie popup
Awatar
0
lip 24
1024