fix(go): set correct cookie params
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
surtur 2023-09-04 21:02:06 +02:00
parent 07d19e6b77
commit 83f0ec7e15
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
4 changed files with 22 additions and 2 deletions

@ -129,12 +129,20 @@ func (a *App) SetServerSettings() {
)
}
store.Options.Path = "/"
store.Options.Domain = a.setting.HTTPDomain()
store.Options.HttpOnly = true
store.Options.SameSite = http.SameSiteStrictMode
store.Options.Secure = a.setting.HTTPSecure()
store.Options.MaxAge = a.setting.SessionMaxAge()
if a.setting.HTTPSecure() {
// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
// https://scotthelme.co.uk/tough-cookies/
// https://check-your-website.server-daten.de/prefix-cookies.html
store.Options.Domain = "__Host-" + store.Options.Domain
}
e.Use(session.Middleware(store))
e.Use(middleware.Secure())
@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc {
CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode,
CookieMaxAge: a.setting.SessionMaxAge(),
CookiePath: "/",
},
)
}

@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
s.SetIsLive(conf.LiveMode)
s.SetIsDevel(conf.DevelMode)
s.SetLoggerIsJSON(conf.Logger.JSON)
s.SetSessionMaxAge(conf.Session.MaxAge)
s.SetSessionCookieName(conf.Session.CookieName)
s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) {
// SetSessionMaxAge sets sessionMaxAge.
func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
if sessionMaxAge < 1 {
log.Debug("setting cookie max age to the default")
s.sessionMaxAge = defaultSessionMaxAge
} else {
log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge)
s.sessionMaxAge = sessionMaxAge
}
}

@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User,
func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
sess.Options = &sessions.Options{
Domain: setting.HTTPDomain(),
Path: path,
MaxAge: maxAge,
HttpOnly: httpOnly,

@ -37,14 +37,19 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
if uname != nil {
username = uname.(string)
log.Debug("Refreshing session cookie", "username", username, "module", "middleware")
// nolint:goconst
log.Info("Refreshing session cookie", "username", username,
"module", "middleware",
"maxAge", setting.SessionMaxAge(),
"secure", c.Request().URL.Scheme == "https",
"domain", setting.HTTPDomain)
refreshSession(
sess,
"/",
setting.SessionMaxAge(),
true,
c.Request().URL.Scheme == "https", //nolint:goconst
c.Request().URL.Scheme == "https", // nolint:goconst
http.SameSiteStrictMode,
)