From b7f0c3cc6c5ac9cf0e3a888ae52389d0ff8dfad0 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Thu, 25 Jan 2024 10:31:14 +0100
Subject: [PATCH] Fix cookie detection

---
 src/pretix/api/middleware.py        |  2 +-
 src/pretix/api/views/idempotency.py |  2 +-
 src/pretix/presale/views/cart.py    | 13 ++++++++++---
 src/pretix/presale/views/event.py   |  3 ++-
 src/pretix/presale/views/waiting.py |  3 ++-
 5 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/pretix/api/middleware.py b/src/pretix/api/middleware.py
index 9d21ac36e..ff4d37c8f 100644
--- a/src/pretix/api/middleware.py
+++ b/src/pretix/api/middleware.py
@@ -54,7 +54,7 @@ class IdempotencyMiddleware:
 
         auth_hash_parts = '{}:{}'.format(
             request.headers.get('Authorization', ''),
-            request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
+            request.COOKIES.get('__Host-' + settings.SESSION_COOKIE_NAME, request.COOKIES.get(settings.SESSION_COOKIE_NAME, ''))
         )
         auth_hash = sha1(auth_hash_parts.encode()).hexdigest()
         idempotency_key = request.headers.get('X-Idempotency-Key', '')
diff --git a/src/pretix/api/views/idempotency.py b/src/pretix/api/views/idempotency.py
index 3ae560b01..4cbe83dd5 100644
--- a/src/pretix/api/views/idempotency.py
+++ b/src/pretix/api/views/idempotency.py
@@ -42,7 +42,7 @@ class IdempotencyQueryView(APIView):
         idempotency_key = request.GET.get("key")
         auth_hash_parts = '{}:{}'.format(
             request.headers.get('Authorization', ''),
-            request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
+            request.COOKIES.get('__Host-' + settings.SESSION_COOKIE_NAME, request.COOKIES.get(settings.SESSION_COOKIE_NAME, ''))
         )
         auth_hash = sha1(auth_hash_parts.encode()).hexdigest()
         if not idempotency_key:
diff --git a/src/pretix/presale/views/cart.py b/src/pretix/presale/views/cart.py
index 2f00868ea..c9b296843 100644
--- a/src/pretix/presale/views/cart.py
+++ b/src/pretix/presale/views/cart.py
@@ -97,7 +97,10 @@ class CartActionMixin:
         if 'locale' in self.request.GET:
             query['locale'] = self.request.GET['locale']
         disclose_cart_id = (
-            'iframe' in self.request.GET or settings.SESSION_COOKIE_NAME not in self.request.COOKIES
+            'iframe' in self.request.GET or (
+                settings.SESSION_COOKIE_NAME not in self.request.COOKIES and
+                '__Host-' + settings.SESSION_COOKIE_NAME not in self.request.COOKIES
+            )
         ) and self.kwargs.get('cart_namespace')
         if disclose_cart_id:
             cart_id = get_or_create_cart_id(self.request)
@@ -120,7 +123,10 @@ class CartActionMixin:
             else:
                 u += '?require_cookie=true'
             disclose_cart_id = (
-                'iframe' in self.request.GET or settings.SESSION_COOKIE_NAME not in self.request.COOKIES
+                'iframe' in self.request.GET or (
+                    settings.SESSION_COOKIE_NAME not in self.request.COOKIES and
+                    '__Host-' + settings.SESSION_COOKIE_NAME not in self.request.COOKIES
+                )
             ) and self.kwargs.get('cart_namespace')
             if disclose_cart_id:
                 cart_id = get_or_create_cart_id(self.request)
@@ -592,7 +598,8 @@ class RedeemView(NoSearchIndexViewMixin, EventViewMixin, CartMixin, TemplateView
 
         context['new_tab'] = (
             'require_cookie' in self.request.GET and
-            settings.SESSION_COOKIE_NAME not in self.request.COOKIES
+            settings.SESSION_COOKIE_NAME not in self.request.COOKIES and
+            '__Host-' + settings.SESSION_COOKIE_NAME not in self.request.COOKIES
             # Cookies are not supported! Lets just make the form open in a new tab
         )
 
diff --git a/src/pretix/presale/views/event.py b/src/pretix/presale/views/event.py
index 9270a22ed..5e0162937 100644
--- a/src/pretix/presale/views/event.py
+++ b/src/pretix/presale/views/event.py
@@ -488,7 +488,8 @@ class EventIndex(EventViewMixin, EventListMixin, CartMixin, TemplateView):
         elif request.GET.get('iframe', '') == '1' and len(self.request.GET.get('widget_data', '{}')) > 3:
             # We've been passed data from a widget, we need to create a cart session to store it.
             get_or_create_cart_id(request)
-        elif 'require_cookie' in request.GET and settings.SESSION_COOKIE_NAME not in request.COOKIES:
+        elif 'require_cookie' in request.GET and settings.SESSION_COOKIE_NAME not in request.COOKIES and \
+                '__Host-' + settings.SESSION_COOKIE_NAME not in self.request.COOKIES:
             # Cookies are in fact not supported
             r = render(request, 'pretixpresale/event/cookies.html', {
                 'url': eventreverse(
diff --git a/src/pretix/presale/views/waiting.py b/src/pretix/presale/views/waiting.py
index 173fc39d9..f2e62687e 100644
--- a/src/pretix/presale/views/waiting.py
+++ b/src/pretix/presale/views/waiting.py
@@ -77,7 +77,8 @@ class WaitingView(EventViewMixin, FormView):
         if request.GET.get('iframe', '') == '1' and 'require_cookie' not in request.GET:
             # Widget just opened. Let's to a stupid redirect to check if cookies are disabled
             return redirect(request.get_full_path() + '&require_cookie=true')
-        elif 'require_cookie' in request.GET and settings.SESSION_COOKIE_NAME not in request.COOKIES:
+        elif 'require_cookie' in request.GET and settings.SESSION_COOKIE_NAME not in request.COOKIES and\
+                '__Host-' + settings.SESSION_COOKIE_NAME not in self.request.COOKIES:
             # Cookies are in fact not supported. We can't even display the form, since we can't get CSRF right without
             # cookies.
             r = render(request, 'pretixpresale/event/cookies.html', {