SameSite cookie hanlders in SamlSessionMiddleware - thanks to Andre Borie for guidelines

Author: peppelinux

.coverage

@@ -68,7 +68,7 @@ do to make sure it is compatible with your Django version and environment.
   you run any other Django application test suite. Just type ``python manage.py
   test djangosaml2``.
 
-  Python 2 users need to ``pip install djangosaml2[test]`` in order to run the
+  Python users need to ``pip install djangosaml2[test]`` in order to run the
   tests.
 
 Then you have to add the ``djangosaml2.backends.Saml2Backend``
@@ -106,6 +106,10 @@ If you want to allow several authentication mechanisms in your project
 you should set the LOGIN_URL option to another view and put a link in such
 view to the ``/saml2/login/`` view.
 
+Add the SAML Session Middleware as follow::
+
+  MIDDLEWARE.append('djangosaml2.middleware.SamlSessionMiddleware')
+
 Handling Post-Login Redirects
 -----------------------------
 It is often desireable for the client to maintain the URL state (or at least manage it) so that
@@ -116,11 +120,11 @@ host matches the output of get_host().  However, in some cases it becomes desire
 hostnames to be used for the post-login redirect.  In such cases, the setting::
 
   SAML_ALLOWED_HOSTS = []
-  
+
 May be set to a list of allowed post-login redirect hostnames (note, the URL components beyond the hostname
-may be specified by the client - typically with the ?next= parameter.) 
+may be specified by the client - typically with the ?next= parameter.)
 
-In the absence of a ?next= parameter, the LOGIN_REDIRECT_URL setting will be used (assuming the destination hostname 
+In the absence of a ?next= parameter, the LOGIN_REDIRECT_URL setting will be used (assuming the destination hostname
 either matches the output of get_host() or is included in the SAML_ALLOWED_HOSTS setting)
 
 
@@ -205,11 +209,11 @@ We will see a typical configuration for protecting a Django project::
                 },
              # Mandates that the identity provider MUST authenticate the
              # presenter directly rather than rely on a previous security context.
-            'force_authn': False, 
-            
+            'force_authn': False,
+
              # Enable AllowCreate in NameIDPolicy.
             'name_id_format_allow_create': False,
-            
+
              # attributes that this project need to identify a user
             'required_attributes': ['uid'],
 
@@ -327,6 +331,15 @@ setting::
   SAML_CONFIG_LOADER = 'python.path.to.your.callable'
 
 
+SameSite cookie
+...............
+
+By default, djangosaml2 handle the saml2 session in a separate cookie.
+The storage linked to it is accessible by default at `request.saml_session`.
+You can even configure this using::
+
+  SAML_SESSION_COOKIE_NAME = 'saml_session'
+
 Custom error handler
 ....................
 
@@ -544,12 +557,16 @@ Unit tests
 You can also run the unit tests as follows::
 
   pip install -r requirements-dev.txt
+  # or
+  pip install djangosaml2[test]
   python3 tests/manage.py migrate
-  
+
+then::
+
   python tests/run_tests.py
 
 or::
-  
+
   cd tests/
   ./manage.py test djangosaml2
 

README.rst

@@ -63,6 +63,9 @@ def delete(self, saml2_session_id):
             del self._db[saml2_session_id]
             self._db.sync()
 
+    def sync(self):
+        self._db.sync()
+
 
 class IdentityCache(Cache):
     """Handles information about the users that have been succesfully

djangosaml2/cache.py

@@ -0,0 +1,73 @@
+import time
+from importlib import import_module
+
+from django.conf import settings
+from django.contrib.sessions.backends.base import UpdateError
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.core.exceptions import SuspiciousOperation
+from django.utils.cache import patch_vary_headers
+from django.utils.http import http_date
+
+
+class SamlSessionMiddleware(SessionMiddleware):
+    session_name = getattr(settings, 'SAML_SESSION_COOKIE_NAME', 'saml_session')
+
+    def process_request(self, request):
+        session_key = request.COOKIES.get(self.session_name, None)
+        setattr(request, self.session_name, self.SessionStore(session_key))
+
+    def process_response(self, request, response):
+        """
+        If request.saml_session was modified, or if the configuration is to save the
+        session every time, save the changes and set a session cookie or delete
+        the session cookie if the session has been emptied.
+        """
+        try:
+            accessed = getattr(request, self.session_name).accessed
+            modified = getattr(request, self.session_name).modified
+            empty = getattr(request, self.session_name).is_empty()
+        except AttributeError:
+            return response
+        # First check if we need to delete this cookie.
+        # The session should be deleted only if the session is entirely empty.
+        if self.session_name in request.COOKIES and empty:
+            response.delete_cookie(
+                self.session_name,
+                path=settings.SESSION_COOKIE_PATH,
+                domain=settings.SESSION_COOKIE_DOMAIN,
+                samesite=None,
+            )
+            patch_vary_headers(response, ('Cookie',))
+        else:
+            if accessed:
+                patch_vary_headers(response, ('Cookie',))
+            if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
+                if request.session.get_expire_at_browser_close():
+                    max_age = None
+                    expires = None
+                else:
+                    max_age = getattr(request, self.session_name).get_expiry_age()
+                    expires_time = time.time() + max_age
+                    expires = http_date(expires_time)
+                # Save the session data and refresh the client cookie.
+                # Skip session save for 500 responses, refs #3881.
+                if response.status_code != 500:
+                    try:
+                        getattr(request, self.session_name).save()
+                    except UpdateError:
+                        raise SuspiciousOperation(
+                            "The request's session was deleted before the "
+                            "request completed. The user may have logged "
+                            "out in a concurrent request, for example."
+                        )
+                    response.set_cookie(
+                        self.session_name,
+                        getattr(request, self.session_name).session_key,
+                        max_age=max_age,
+                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
+                        path=settings.SESSION_COOKIE_PATH,
+                        secure=settings.SESSION_COOKIE_SECURE or None,
+                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
+                        samesite=None
+                    )
+        return response