Merge pull request #723 from alphagov/highlighting_problem_with_CSRF

2ND Line: highlighting problem with CSRF authentication in support form
alphagov · Feb 28, 2020 · a54693c · a54693c
2 parents 09bd866 + f8d7a91
commit a54693c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -25,8 +25,7 @@
   # Render exceptions instead of raising them
   config.action_dispatch.show_exceptions = true
 
-  # Disable request forgery protection in test environment.
-  config.action_controller.allow_forgery_protection = false
+  # Disable caching in test environment.
   config.action_mailer.perform_caching = false
 
   # Tell Action Mailer not to deliver emails to the real world.
@@ -39,4 +38,7 @@
 
   # Raises error for missing translations
   config.action_view.raise_on_missing_translations = true
+
+  # The support forms require CSRF authentication, this should be checked in the tests
+  config.action_controller.allow_forgery_protection = true  
 end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
@@ -1 +1,2 @@
-Rails.application.config.session_store :disabled
+Rails.application.config.session_store :cookie_store, expire_after: 14.days, secure: !(Rails.env.development? || Rails.env.test?), httponly: true
+