[PR #6054] [MERGED] fix: set token cookie secure and samesite per config #8614

New Issue

GiteaMirror · 2025-11-11T18:01:08-06:00

GiteaMirror commented

2025-11-11 18:01:08 -06:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/6054
Author: @jeeteshchel
Created: 10/9/2024
Status: ✅ Merged
Merged: 10/9/2024
Merged by: @tjbck

Base: dev ← Head: bugfix/secure-cookie

📝 Commits (1)

a2e889c fix: set oauth token secure and samesite per config

📊 Changes

2 files changed (+10 additions, -0 deletions)

View changed files

📝 backend/open_webui/apps/webui/routers/auths.py (+8 -0)
📝 backend/open_webui/main.py (+2 -0)

📄 Description

Description

This pull request enhances the security of session cookies by adding samesite and secure attributes to cookie settings within the authentication and session management functions. These changes aim to improve the application's resilience against cross-site request forgery (CSRF) attacks and ensure that cookies are only transmitted over secure channels.

Changelog

Added

Included samesite and secure attributes to the cookie settings in the following functions:
- get_session_user
- signin
- signup
- oauth_callback

Changed

Updated the auths.py and main.py files to include the new cookie attributes.

Security

Enhanced session cookies with samesite and secure attributes to mitigate CSRF attacks and ensure cookies are transmitted securely.

Note to first-time contributors

Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Pull Request Checklist

Target branch: This pull request targets the dev branch.
Description: Provided a concise description of the changes made in this pull request.
Changelog: Ensured a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Updated relevant documentation Open WebUI Docs, or other documentation sources.
Dependencies: Checked for any new dependencies and updated the dependency versions in the documentation.
Testing: Ran sufficient manual tests for validating the changes.
Code review: Performed a self-review of the code, addressing any coding standard issues and ensuring adherence to the project's coding standards.
Prefix: Prefixed the pull request title using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Additional Information

Reference issues: Modal Debate Arena / Multi AIs Debate (#4233)

Screenshots or Videos

NA

This pull request aims to improve the security of session management within the application. If there are any questions or further clarifications needed, please let me know. Thank you for reviewing and considering these changes.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/6054 **Author:** [@jeeteshchel](https://github.com/jeeteshchel) **Created:** 10/9/2024 **Status:** ✅ Merged **Merged:** 10/9/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `bugfix/secure-cookie` --- ### 📝 Commits (1) - [`a2e889c`](https://github.com/open-webui/open-webui/commit/a2e889c8bba04d503977f509a3b57bd7684d5217) fix: set oauth token secure and samesite per config ### 📊 Changes **2 files changed** (+10 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/apps/webui/routers/auths.py` (+8 -0) 📝 `backend/open_webui/main.py` (+2 -0) </details> ### 📄 Description --- # Enhance Cookie Security Settings ## Description This pull request enhances the security of session cookies by adding `samesite` and `secure` attributes to cookie settings within the authentication and session management functions. These changes aim to improve the application's resilience against cross-site request forgery (CSRF) attacks and ensure that cookies are only transmitted over secure channels. ## Changelog ### Added - Included `samesite` and `secure` attributes to the cookie settings in the following functions: - `get_session_user` - `signin` - `signup` - `oauth_callback` ### Changed - Updated the `auths.py` and `main.py` files to include the new cookie attributes. ### Security - Enhanced session cookies with `samesite` and `secure` attributes to mitigate CSRF attacks and ensure cookies are transmitted securely. --- ### Note to first-time contributors Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. ## Pull Request Checklist - [x] **Target branch:** This pull request targets the `dev` branch. - [x] **Description:** Provided a concise description of the changes made in this pull request. - [x] **Changelog:** Ensured a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com) is added at the bottom of the PR description. - [ ] **Documentation:** Updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources. - [x] **Dependencies:** Checked for any new dependencies and updated the dependency versions in the documentation. - [x] **Testing:** Ran sufficient manual tests for validating the changes. - [x] **Code review:** Performed a self-review of the code, addressing any coding standard issues and ensuring adherence to the project's coding standards. - [x] **Prefix:** Prefixed the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work --- ### Additional Information - Reference issues: #4233 ### Screenshots or Videos - NA --- This pull request aims to improve the security of session management within the application. If there are any questions or further clarifications needed, please let me know. Thank you for reviewing and considering these changes. --- --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-11 18:01:08 -06:00

GiteaMirror closed this issue

2025-11-11 18:01:08 -06:00

GiteaMirror referenced this issue

2025-11-11 18:12:52 -06:00

[PR #8624] [CLOSED] [POC] feat: Add Github OAuth provider to SSO #9056

GiteaMirror referenced this issue

2025-11-11 18:13:01 -06:00

[PR #8638] [MERGED] refactor: Extend OIDC support to all OAuth authentication methods #9058

Sign in to join this conversation.