From 83f0ec7e15d25549f1f5f7b91db0e4b3a17ffb76 Mon Sep 17 00:00:00 2001 From: surtur Date: Mon, 4 Sep 2023 21:02:06 +0200 Subject: [PATCH] fix(go): set correct cookie params --- app/server.go | 9 +++++++++ app/settings/settings.go | 5 +++++ handlers/helpers.go | 1 + handlers/middleware.go | 9 +++++++-- 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/app/server.go b/app/server.go index b098dda..0213af4 100644 --- a/app/server.go +++ b/app/server.go @@ -129,12 +129,20 @@ func (a *App) SetServerSettings() { ) } + store.Options.Path = "/" store.Options.Domain = a.setting.HTTPDomain() store.Options.HttpOnly = true store.Options.SameSite = http.SameSiteStrictMode store.Options.Secure = a.setting.HTTPSecure() store.Options.MaxAge = a.setting.SessionMaxAge() + if a.setting.HTTPSecure() { + // https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/ + // https://scotthelme.co.uk/tough-cookies/ + // https://check-your-website.server-daten.de/prefix-cookies.html + store.Options.Domain = "__Host-" + store.Options.Domain + } + e.Use(session.Middleware(store)) e.Use(middleware.Secure()) @@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc { CookieHTTPOnly: true, CookieSameSite: http.SameSiteStrictMode, CookieMaxAge: a.setting.SessionMaxAge(), + CookiePath: "/", }, ) } diff --git a/app/settings/settings.go b/app/settings/settings.go index 5b77c8b..cbaf0a2 100644 --- a/app/settings/settings.go +++ b/app/settings/settings.go @@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev s.SetIsLive(conf.LiveMode) s.SetIsDevel(conf.DevelMode) s.SetLoggerIsJSON(conf.Logger.JSON) + s.SetSessionMaxAge(conf.Session.MaxAge) s.SetSessionCookieName(conf.Session.CookieName) s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret) s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret) @@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) { // SetSessionMaxAge sets sessionMaxAge. func (s *Settings) SetSessionMaxAge(sessionMaxAge int) { if sessionMaxAge < 1 { + log.Debug("setting cookie max age to the default") + s.sessionMaxAge = defaultSessionMaxAge } else { + log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge) + s.sessionMaxAge = sessionMaxAge } } diff --git a/handlers/helpers.go b/handlers/helpers.go index b9bebf1..2519910 100644 --- a/handlers/helpers.go +++ b/handlers/helpers.go @@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User, func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) { sess.Options = &sessions.Options{ + Domain: setting.HTTPDomain(), Path: path, MaxAge: maxAge, HttpOnly: httpOnly, diff --git a/handlers/middleware.go b/handlers/middleware.go index 6f856c4..07ee48c 100644 --- a/handlers/middleware.go +++ b/handlers/middleware.go @@ -37,14 +37,19 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc { if uname != nil { username = uname.(string) - log.Debug("Refreshing session cookie", "username", username, "module", "middleware") + // nolint:goconst + log.Info("Refreshing session cookie", "username", username, + "module", "middleware", + "maxAge", setting.SessionMaxAge(), + "secure", c.Request().URL.Scheme == "https", + "domain", setting.HTTPDomain) refreshSession( sess, "/", setting.SessionMaxAge(), true, - c.Request().URL.Scheme == "https", //nolint:goconst + c.Request().URL.Scheme == "https", // nolint:goconst http.SameSiteStrictMode, )