- Improved CSRF handling

- Wordpress plugin for Evie Chat

config/config.py

@@ -13,8 +13,11 @@ class Config(object):
     SECRET_KEY = environ.get('SECRET_KEY')
     SESSION_COOKIE_SECURE = False
     SESSION_COOKIE_HTTPONLY = True
+    SESSION_KEY_PREFIX = f'{environ.get('COMPONENT_NAME')}_'
 
     WTF_CSRF_ENABLED = True
+    WTF_CSRF_TIME_LIMIT = None
+    WTF_CSRF_SSL_STRICT = False  # Set to True if using HTTPS
 
     # flask-security-too settings
     # SECURITY_URL_PREFIX = '/admin'
@@ -31,7 +34,7 @@ class Config(object):
     # SECURITY_BLUEPRINT_NAME = 'security_bp'
     SECURITY_PASSWORD_SALT = environ.get('SECURITY_PASSWORD_SALT')
     REMEMBER_COOKIE_SAMESITE = 'strict'
-    SESSION_COOKIE_SAMESITE = 'strict'
+    SESSION_COOKIE_SAMESITE = 'Lax'
     SECURITY_CONFIRMABLE = True
     SECURITY_TRACKABLE = True
     SECURITY_PASSWORD_COMPLEXITY_CHECKER = 'zxcvbn'
@@ -93,7 +96,7 @@ class Config(object):
 
     # Session Settings
     SESSION_TYPE = 'redis'
-    SESSION_PERMANENT = False
+    SESSION_PERMANENT = True
     SESSION_USE_SIGNER = True
     PERMANENT_SESSION_LIFETIME = timedelta(minutes=60)
     SESSION_REFRESH_EACH_REQUEST = True
@@ -200,6 +203,11 @@ class ProdConfig(Config):
     FLASK_DEBUG = False
     EXPLAIN_TEMPLATE_LOADING = False
 
+    # SESSION SETTINGS
+    SESSION_COOKIE_SECURE = True
+
+    WTF_CSRF_SSL_STRICT = True  # Set to True if using HTTPS
+
     # Database Settings
     DB_HOST = environ.get('DB_HOST')
     DB_USER = environ.get('DB_USER')