Set HttpOnly and Secure flags in session cookies

[eapolinario]

Why are the changes needed?

Setting these 2 fields is standard practice. All modern browsers implement them.

What changes were proposed in this pull request?

We set HttpOnly and Secure flags in all cookies produced by Flyte. Notice that those are generated only if auth is enabled.

More information about those flags:

• https://owasp.org/www-community/HttpOnly: The HttpOnly option prevents JavaScript code from accessing the cookie. This can provide some protection from cookie theft if an attacker successfully exploits a Cross-Site Scripting (XSS) vulnerability.
• https://cwe.mitre.org/data/definitions/614.html: The Secure cookie flag is an option that can be used to prevent the browser from sending the cookie over a plaintext connection. This can prevent an attacker from attempting session hijacking through Man-in-the-Middle (MitM) attacks.

Currently we allow the use of auth without TLS, but I'm wondering if we should remove that case (or disallow it explicitly).
edit: This is a common setup. We now have a separate config to control whether cookies have the Secure header set. This is supposed to be used only for testing as it potentially exposes users who serve flyteconsole with TLS disabled and auth enabled to aforementioned attacks.

How was this patch tested?

Setup process

Screenshots

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.95%. Comparing base (56b6d6d) to head (0e4e696).
Report is 61 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5911      +/-   ##
==========================================
+ Coverage   36.71%   36.95%   +0.23%     
==========================================
  Files        1304     1310       +6     
  Lines      130081   131470    +1389     
==========================================
+ Hits        47764    48587     +823     
- Misses      78147    78662     +515     
- Partials     4170     4221      +51     

Flag	Coverage Δ
unittests-datacatalog	51.58% <ø> (ø)
unittests-flyteadmin	54.06% <100.00%> (-0.36%)	⬇️
unittests-flytecopilot	22.23% <ø> (+10.50%)	⬆️
unittests-flytectl	62.39% <ø> (-0.02%)	⬇️
unittests-flyteidl	6.95% <ø> (+0.06%)	⬆️
unittests-flyteplugins	53.83% <ø> (+0.20%)	⬆️
unittests-flytepropeller	43.10% <ø> (+0.26%)	⬆️
unittests-flytestdlib	55.30% <ø> (+0.51%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Sovietaced]

Currently we allow the use of auth without TLS, but I'm wondering if we should remove that case (or disallow it explicitly).

I feel like it’s pretty normal to run plaintext from an ingress to an origin on the same node. At least that’s what we do.