Updates to Secure Cookie Configuration

[Katie Punia]

Hello everyone, 

Please see the Archivematica release documentation for security enhancements to the project surrounding cookie configuration. We recommend Administrators review their settings to take advantage of these options, ensuring deployment configurations are updated to align with stricter defaults. Should those supporting their own installation(s) of Archivematica wish to view the changes please see the following: 

https://wiki.archivematica.org/Archivematica_1.18.0_and_Storage_Service_0.24.0_release_notes#Cookie_configuration_improvements

https://www.archivematica.org/en/docs/archivematica-1.18/admin-manual/security/security/#cookie-and-session-security

Warmly, 

Katie 

Katie Punia (she/her)

Information Management Specialist 

Artefactual Systems

[Juan Cerrada]

Hello, i recently install archivematica, using Automated install using Ansible Ubuntu 24.04 (Noble).

After a suscesfully installation, when i try to acces to http://192.168.168.198:8000/ or http://192.168.168.198:8000/ and using user:test pass:test, the browser respond with a problem of cookies. 

For my present installation, it's not so necessary this kind of security, and i read in your documents that it's possible to change this parameter. But  due my technical limitation, i don't know how to do it. It's possible a small guide for access to the files where i can change, like you say:

"If your deployment does not use HTTPS (not recommended for production), explicitly set the *_SESSION_COOKIE_SECURE and *_CSRF_COOKIE_SECURE environment variables to false to allow cookies to be sent over HTTP."

Many thanks

[Douglas Cerna]

Hello,

At the bottom of your deploy-pub/playbooks/archivematica-noble/vars-singlenode-1.18.yml file change this:

archivematica_src_ss_environment:
  SS_DB_URL: "mysql://{{ archivematica_src_ss_db_user }}:{{ archivematica_src_ss_db_password }}@{{ archivematica_src_ss_db_host }}:3306/{{ archivematica_src_ss_db_name }}"

To look like this:

archivematica_src_ss_environment:
  SS_DB_URL: "mysql://{{ archivematica_src_ss_db_user }}:{{ archivematica_src_ss_db_password }}@{{ archivematica_src_ss_db_host }}:3306/{{ archivematica_src_ss_db_name }}"
  SESSION_COOKIE_SECURE: false
  CSRF_COOKIE_SECURE: false

archivematica_src_am_dashboard_environment:
  ARCHIVEMATICA_DASHBOARD_DASHBOARD_SESSION_COOKIE_SECURE: false
  ARCHIVEMATICA_DASHBOARD_DASHBOARD_CSRF_COOKIE_SECURE: false

This disables secure cookies in the Storage Service by setting the SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE keys to false in the archivematica_src_ss_environment dictionary variable, and adds the archivematica_src_am_dashboard_environment dictionary to do the same in the Dashboard.

After making these changes in the deploy-pub/playbooks/archivematica-noble/vars-singlenode-1.18.yml file, run the vagrant provision command to update your server configuration like this:

cd deploy-pub/playbooks/archivematica-noble
ANSIBLE_ARGS="--tags=archivematica-src" vagrant provision

After this command finishes you should not see the cookie error anymore.

Hope this helps.

--
You received this message because you are subscribed to the Google Groups "archivematica" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivematic...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/archivematica/2064f07f-b2dd-40fd-9741-62fd93bae249n%40googlegroups.com.

--

Douglas Cerna (he/him),
Software Developer, Artefactual Systems Inc.
http://www.artefactual.com

[Juan Cerrada]

Many Thanks, now i have to practice ;)

Best regards