From 9f34bd2aa17b5d46c7b738e248b84c840213fc07 Mon Sep 17 00:00:00 2001 From: Andrew Shu Date: Thu, 18 Sep 2025 16:56:51 -0700 Subject: [PATCH] Update pyramid-session-redis to 1.5.3 (was 1.5.0) * Bump dependency version to 1.5.3 * Add SameSite=Lax in site configuration * Add cookie_signer to migrate legacy sessions from 1.5.0 --- tildes/development.ini | 1 + tildes/production.ini.example | 1 + tildes/requirements-dev.txt | 2 +- tildes/requirements.in | 2 +- tildes/requirements.txt | 2 +- tildes/tildes/__init__.py | 14 ++++++++++++++ 6 files changed, 19 insertions(+), 3 deletions(-) diff --git a/tildes/development.ini b/tildes/development.ini index f463e17..e112916 100644 --- a/tildes/development.ini +++ b/tildes/development.ini @@ -32,6 +32,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s redis.sessions.prefix = session: redis.sessions.cookie_secure = true redis.sessions.cookie_max_age = 31536000 +redis.sessions.cookie_samesite = Lax # Set session timeout to 10 mins by default, we'll extend it when people log in redis.sessions.timeout = 600 diff --git a/tildes/production.ini.example b/tildes/production.ini.example index 3c7ad68..b995c14 100644 --- a/tildes/production.ini.example +++ b/tildes/production.ini.example @@ -10,6 +10,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s redis.sessions.prefix = session: redis.sessions.cookie_secure = true redis.sessions.cookie_max_age = 31536000 +redis.sessions.cookie_samesite = Lax # disable the python timeout management in pyramid-session-redis redis.sessions.python_expires = false diff --git a/tildes/requirements-dev.txt b/tildes/requirements-dev.txt index 2c0ef37..765d3ef 100644 --- a/tildes/requirements-dev.txt +++ b/tildes/requirements-dev.txt @@ -91,7 +91,7 @@ pyramid-ipython==0.2 pyramid-jinja2==2.10.1 pyramid-mako==1.1.0 pyramid-openapi3==0.21.0 -pyramid-session-redis==1.5.0 +pyramid-session-redis==1.5.3 pyramid-tm==2.6 pyramid-webassets==0.10 pytest==8.4.1 diff --git a/tildes/requirements.in b/tildes/requirements.in index 15af711..e4e6eb9 100644 --- a/tildes/requirements.in +++ b/tildes/requirements.in @@ -23,7 +23,7 @@ pyramid<2.0 pyramid-ipython pyramid-jinja2 pyramid-openapi3>=0.17.0 -pyramid-session-redis==1.5.0 # 1.5.1 has a change that will invalidate current sessions +pyramid-session-redis==1.5.3 # TODO: allow 1.8.0+ after legacy cookie sessions expire pyramid-tm pyramid-webassets python-dateutil diff --git a/tildes/requirements.txt b/tildes/requirements.txt index 4e73db4..e89cb15 100644 --- a/tildes/requirements.txt +++ b/tildes/requirements.txt @@ -62,7 +62,7 @@ pyramid==1.10.8 pyramid-ipython==0.2 pyramid-jinja2==2.10.1 pyramid-openapi3==0.21.0 -pyramid-session-redis==1.5.0 +pyramid-session-redis==1.5.3 pyramid-tm==2.6 pyramid-webassets==0.10 python-dateutil==2.9.0.post0 diff --git a/tildes/tildes/__init__.py b/tildes/tildes/__init__.py index 7f9a6e7..f06ef30 100644 --- a/tildes/tildes/__init__.py +++ b/tildes/tildes/__init__.py @@ -7,6 +7,7 @@ import sentry_sdk from marshmallow.exceptions import ValidationError from paste.deploy.config import PrefixMiddleware from pyramid.config import Configurator +from pyramid_session_redis.legacy import GracefulCookieSerializer from sentry_sdk.integrations.pyramid import PyramidIntegration from webassets import Bundle @@ -16,6 +17,19 @@ def main(global_config: dict[str, str], **settings: str) -> PrefixMiddleware: config = Configurator(settings=settings) config.include("cornice") + + # Pass a cookie_signer to migrate legacy sessions + # from pyramid_session_redis 1.5.0 to 1.5.1+. + # We should remove this settings override after all legacy cookies expire. + config.add_settings( + { + "redis.sessions.cookie_signer": GracefulCookieSerializer( + settings["redis.sessions.secret"] + ), + "redis.sessions.secret": None, + } + ) + config.include("pyramid_session_redis") config.include("pyramid_webassets") config.include("pyramid_openapi3")