- Improved CSRF handling

- Wordpress plugin for Evie Chat

config/config.py

@@ -13,8 +13,11 @@ class Config(object):
     SECRET_KEY = environ.get('SECRET_KEY')
     SESSION_COOKIE_SECURE = False
     SESSION_COOKIE_HTTPONLY = True
+    SESSION_KEY_PREFIX = f'{environ.get('COMPONENT_NAME')}_'
 
     WTF_CSRF_ENABLED = True
+    WTF_CSRF_TIME_LIMIT = None
+    WTF_CSRF_SSL_STRICT = False  # Set to True if using HTTPS
 
     # flask-security-too settings
     # SECURITY_URL_PREFIX = '/admin'
@@ -31,7 +34,7 @@ class Config(object):
     # SECURITY_BLUEPRINT_NAME = 'security_bp'
     SECURITY_PASSWORD_SALT = environ.get('SECURITY_PASSWORD_SALT')
     REMEMBER_COOKIE_SAMESITE = 'strict'
-    SESSION_COOKIE_SAMESITE = 'strict'
+    SESSION_COOKIE_SAMESITE = 'Lax'
     SECURITY_CONFIRMABLE = True
     SECURITY_TRACKABLE = True
     SECURITY_PASSWORD_COMPLEXITY_CHECKER = 'zxcvbn'
@@ -93,7 +96,7 @@ class Config(object):
 
     # Session Settings
     SESSION_TYPE = 'redis'
-    SESSION_PERMANENT = False
+    SESSION_PERMANENT = True
     SESSION_USE_SIGNER = True
     PERMANENT_SESSION_LIFETIME = timedelta(minutes=60)
     SESSION_REFRESH_EACH_REQUEST = True
@@ -200,6 +203,11 @@ class ProdConfig(Config):
     FLASK_DEBUG = False
     EXPLAIN_TEMPLATE_LOADING = False
 
+    # SESSION SETTINGS
+    SESSION_COOKIE_SECURE = True
+
+    WTF_CSRF_SSL_STRICT = True  # Set to True if using HTTPS
+
     # Database Settings
     DB_HOST = environ.get('DB_HOST')
     DB_USER = environ.get('DB_USER')

config/logging_config.py

@@ -117,11 +117,11 @@ LOGGING = {
     'formatters': {
         'standard': {
             'format': '%(asctime)s [%(levelname)s] %(name)s (%(component)s) [%(module)s:%(lineno)d in %(funcName)s] '
-                      '[Thread: %(threadName)s] [Host: %(hostname)s]: %(message)s'
+                      '[Thread: %(threadName)s]: %(message)s'
         },
         'graylog': {
             'format': '[%(levelname)s] %(name)s (%(component)s) [%(module)s:%(lineno)d in %(funcName)s] '
-                      '[Thread: %(threadName)s] [Host: %(hostname)s]: %(message)s',
+                      '[Thread: %(threadName)s]: %(message)s',
             'datefmt': '%Y-%m-%d %H:%M:%S',
         },
     },