From 27b26ec49c713826f4945bcbfefa64fa5e2efd8e Mon Sep 17 00:00:00 2001
From: Jeremy Stretch <jstretch@netboxlabs.com>
Date: Tue, 15 Apr 2025 16:03:33 -0400
Subject: [PATCH] Fixes #19195: Language cookie should respect
 SESSION_COOKIE_SECURE value (#19197)

---
 netbox/account/views.py     | 14 ++++++++++++--
 netbox/netbox/middleware.py |  7 ++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/netbox/account/views.py b/netbox/account/views.py
index 05f40df3f..43df5436a 100644
--- a/netbox/account/views.py
+++ b/netbox/account/views.py
@@ -123,7 +123,12 @@ class LoginView(View):
 
             # Set the user's preferred language (if any)
             if language := request.user.config.get('locale.language'):
-                response.set_cookie(settings.LANGUAGE_COOKIE_NAME, language, max_age=request.session.get_expiry_age())
+                response.set_cookie(
+                    key=settings.LANGUAGE_COOKIE_NAME,
+                    value=language,
+                    max_age=request.session.get_expiry_age(),
+                    secure=settings.SESSION_COOKIE_SECURE,
+                )
 
             return response
 
@@ -218,7 +223,12 @@ class UserConfigView(LoginRequiredMixin, View):
 
             # Set/clear language cookie
             if language := form.cleaned_data['locale.language']:
-                response.set_cookie(settings.LANGUAGE_COOKIE_NAME, language, max_age=request.session.get_expiry_age())
+                response.set_cookie(
+                    key=settings.LANGUAGE_COOKIE_NAME,
+                    value=language,
+                    max_age=request.session.get_expiry_age(),
+                    secure=settings.SESSION_COOKIE_SECURE,
+                )
             else:
                 response.delete_cookie(settings.LANGUAGE_COOKIE_NAME)
 
diff --git a/netbox/netbox/middleware.py b/netbox/netbox/middleware.py
index b9424bd7c..d53f67803 100644
--- a/netbox/netbox/middleware.py
+++ b/netbox/netbox/middleware.py
@@ -43,7 +43,12 @@ class CoreMiddleware:
         # Check if language cookie should be renewed
         if request.user.is_authenticated and settings.SESSION_SAVE_EVERY_REQUEST:
             if language := request.user.config.get('locale.language'):
-                response.set_cookie(settings.LANGUAGE_COOKIE_NAME, language, max_age=request.session.get_expiry_age())
+                response.set_cookie(
+                    key=settings.LANGUAGE_COOKIE_NAME,
+                    value=language,
+                    max_age=request.session.get_expiry_age(),
+                    secure=settings.SESSION_COOKIE_SECURE,
+                )
 
         # Attach the unique request ID as an HTTP header.
         response['X-Request-ID'] = request.id