fix(go): set correct cookie params

2023-09-04 21:02:06 +02:00 · 2023-09-04 21:02:06 +02:00 · 83f0ec7e15
parent 07d19e6b77
commit 83f0ec7e15
4 changed files with 22 additions and 2 deletions
--- a/app/server.go
+++ b/app/server.go
@ -129,12 +129,20 @@ func (a *App) SetServerSettings() {
 		)
 	}

+	store.Options.Path = "/"
 	store.Options.Domain = a.setting.HTTPDomain()
 	store.Options.HttpOnly = true
 	store.Options.SameSite = http.SameSiteStrictMode
 	store.Options.Secure = a.setting.HTTPSecure()
 	store.Options.MaxAge = a.setting.SessionMaxAge()

+	if a.setting.HTTPSecure() {
+		// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
+		// https://scotthelme.co.uk/tough-cookies/
+		// https://check-your-website.server-daten.de/prefix-cookies.html
+		store.Options.Domain = "__Host-" + store.Options.Domain
+	}
+
 	e.Use(session.Middleware(store))

 	e.Use(middleware.Secure())
@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc {
 		CookieHTTPOnly: true,
 		CookieSameSite: http.SameSiteStrictMode,
 		CookieMaxAge:   a.setting.SessionMaxAge(),
+		CookiePath:     "/",
 	},
 	)
 }
--- a/app/settings/settings.go
+++ b/app/settings/settings.go
@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
 	s.SetIsLive(conf.LiveMode)
 	s.SetIsDevel(conf.DevelMode)
 	s.SetLoggerIsJSON(conf.Logger.JSON)
+	s.SetSessionMaxAge(conf.Session.MaxAge)
 	s.SetSessionCookieName(conf.Session.CookieName)
 	s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
 	s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) {
 // SetSessionMaxAge sets sessionMaxAge.
 func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
 	if sessionMaxAge < 1 {
+		log.Debug("setting cookie max age to the default")
+
 		s.sessionMaxAge = defaultSessionMaxAge
 	} else {
+		log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge)
+
 		s.sessionMaxAge = sessionMaxAge
 	}
 }
--- a/handlers/helpers.go
+++ b/handlers/helpers.go
@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User,

 func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
 	sess.Options = &sessions.Options{
+		Domain:   setting.HTTPDomain(),
 		Path:     path,
 		MaxAge:   maxAge,
 		HttpOnly: httpOnly,
--- a/handlers/middleware.go
+++ b/handlers/middleware.go
@ -37,14 +37,19 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
 		if uname != nil {
 			username = uname.(string)

-			log.Debug("Refreshing session cookie", "username", username, "module", "middleware")
+			// nolint:goconst
+			log.Info("Refreshing session cookie", "username", username,
+				"module", "middleware",
+				"maxAge", setting.SessionMaxAge(),
+				"secure", c.Request().URL.Scheme == "https",
+				"domain", setting.HTTPDomain)

 			refreshSession(
 				sess,
 				"/",
 				setting.SessionMaxAge(),
 				true,
-				c.Request().URL.Scheme == "https", //nolint:goconst
+				c.Request().URL.Scheme == "https", // nolint:goconst
 				http.SameSiteStrictMode,
 			)