fix(go): set correct cookie params
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
07d19e6b77
commit
83f0ec7e15
@ -129,12 +129,20 @@ func (a *App) SetServerSettings() {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
store.Options.Path = "/"
|
||||||
store.Options.Domain = a.setting.HTTPDomain()
|
store.Options.Domain = a.setting.HTTPDomain()
|
||||||
store.Options.HttpOnly = true
|
store.Options.HttpOnly = true
|
||||||
store.Options.SameSite = http.SameSiteStrictMode
|
store.Options.SameSite = http.SameSiteStrictMode
|
||||||
store.Options.Secure = a.setting.HTTPSecure()
|
store.Options.Secure = a.setting.HTTPSecure()
|
||||||
store.Options.MaxAge = a.setting.SessionMaxAge()
|
store.Options.MaxAge = a.setting.SessionMaxAge()
|
||||||
|
|
||||||
|
if a.setting.HTTPSecure() {
|
||||||
|
// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
|
||||||
|
// https://scotthelme.co.uk/tough-cookies/
|
||||||
|
// https://check-your-website.server-daten.de/prefix-cookies.html
|
||||||
|
store.Options.Domain = "__Host-" + store.Options.Domain
|
||||||
|
}
|
||||||
|
|
||||||
e.Use(session.Middleware(store))
|
e.Use(session.Middleware(store))
|
||||||
|
|
||||||
e.Use(middleware.Secure())
|
e.Use(middleware.Secure())
|
||||||
@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc {
|
|||||||
CookieHTTPOnly: true,
|
CookieHTTPOnly: true,
|
||||||
CookieSameSite: http.SameSiteStrictMode,
|
CookieSameSite: http.SameSiteStrictMode,
|
||||||
CookieMaxAge: a.setting.SessionMaxAge(),
|
CookieMaxAge: a.setting.SessionMaxAge(),
|
||||||
|
CookiePath: "/",
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
|
|||||||
s.SetIsLive(conf.LiveMode)
|
s.SetIsLive(conf.LiveMode)
|
||||||
s.SetIsDevel(conf.DevelMode)
|
s.SetIsDevel(conf.DevelMode)
|
||||||
s.SetLoggerIsJSON(conf.Logger.JSON)
|
s.SetLoggerIsJSON(conf.Logger.JSON)
|
||||||
|
s.SetSessionMaxAge(conf.Session.MaxAge)
|
||||||
s.SetSessionCookieName(conf.Session.CookieName)
|
s.SetSessionCookieName(conf.Session.CookieName)
|
||||||
s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
|
s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
|
||||||
s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
|
s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
|
||||||
@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) {
|
|||||||
// SetSessionMaxAge sets sessionMaxAge.
|
// SetSessionMaxAge sets sessionMaxAge.
|
||||||
func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
|
func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
|
||||||
if sessionMaxAge < 1 {
|
if sessionMaxAge < 1 {
|
||||||
|
log.Debug("setting cookie max age to the default")
|
||||||
|
|
||||||
s.sessionMaxAge = defaultSessionMaxAge
|
s.sessionMaxAge = defaultSessionMaxAge
|
||||||
} else {
|
} else {
|
||||||
|
log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge)
|
||||||
|
|
||||||
s.sessionMaxAge = sessionMaxAge
|
s.sessionMaxAge = sessionMaxAge
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User,
|
|||||||
|
|
||||||
func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
|
func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
|
||||||
sess.Options = &sessions.Options{
|
sess.Options = &sessions.Options{
|
||||||
|
Domain: setting.HTTPDomain(),
|
||||||
Path: path,
|
Path: path,
|
||||||
MaxAge: maxAge,
|
MaxAge: maxAge,
|
||||||
HttpOnly: httpOnly,
|
HttpOnly: httpOnly,
|
||||||
|
@ -37,7 +37,12 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
|
|||||||
if uname != nil {
|
if uname != nil {
|
||||||
username = uname.(string)
|
username = uname.(string)
|
||||||
|
|
||||||
log.Debug("Refreshing session cookie", "username", username, "module", "middleware")
|
// nolint:goconst
|
||||||
|
log.Info("Refreshing session cookie", "username", username,
|
||||||
|
"module", "middleware",
|
||||||
|
"maxAge", setting.SessionMaxAge(),
|
||||||
|
"secure", c.Request().URL.Scheme == "https",
|
||||||
|
"domain", setting.HTTPDomain)
|
||||||
|
|
||||||
refreshSession(
|
refreshSession(
|
||||||
sess,
|
sess,
|
||||||
|
Loading…
Reference in New Issue
Block a user