fix(go): set correct cookie params
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
surtur 2023-09-04 21:02:06 +02:00
parent 07d19e6b77
commit 83f0ec7e15
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
4 changed files with 22 additions and 2 deletions

@ -129,12 +129,20 @@ func (a *App) SetServerSettings() {
) )
} }
store.Options.Path = "/"
store.Options.Domain = a.setting.HTTPDomain() store.Options.Domain = a.setting.HTTPDomain()
store.Options.HttpOnly = true store.Options.HttpOnly = true
store.Options.SameSite = http.SameSiteStrictMode store.Options.SameSite = http.SameSiteStrictMode
store.Options.Secure = a.setting.HTTPSecure() store.Options.Secure = a.setting.HTTPSecure()
store.Options.MaxAge = a.setting.SessionMaxAge() store.Options.MaxAge = a.setting.SessionMaxAge()
if a.setting.HTTPSecure() {
// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
// https://scotthelme.co.uk/tough-cookies/
// https://check-your-website.server-daten.de/prefix-cookies.html
store.Options.Domain = "__Host-" + store.Options.Domain
}
e.Use(session.Middleware(store)) e.Use(session.Middleware(store))
e.Use(middleware.Secure()) e.Use(middleware.Secure())
@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc {
CookieHTTPOnly: true, CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode, CookieSameSite: http.SameSiteStrictMode,
CookieMaxAge: a.setting.SessionMaxAge(), CookieMaxAge: a.setting.SessionMaxAge(),
CookiePath: "/",
}, },
) )
} }

@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
s.SetIsLive(conf.LiveMode) s.SetIsLive(conf.LiveMode)
s.SetIsDevel(conf.DevelMode) s.SetIsDevel(conf.DevelMode)
s.SetLoggerIsJSON(conf.Logger.JSON) s.SetLoggerIsJSON(conf.Logger.JSON)
s.SetSessionMaxAge(conf.Session.MaxAge)
s.SetSessionCookieName(conf.Session.CookieName) s.SetSessionCookieName(conf.Session.CookieName)
s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret) s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret) s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) {
// SetSessionMaxAge sets sessionMaxAge. // SetSessionMaxAge sets sessionMaxAge.
func (s *Settings) SetSessionMaxAge(sessionMaxAge int) { func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
if sessionMaxAge < 1 { if sessionMaxAge < 1 {
log.Debug("setting cookie max age to the default")
s.sessionMaxAge = defaultSessionMaxAge s.sessionMaxAge = defaultSessionMaxAge
} else { } else {
log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge)
s.sessionMaxAge = sessionMaxAge s.sessionMaxAge = sessionMaxAge
} }
} }

@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User,
func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) { func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
sess.Options = &sessions.Options{ sess.Options = &sessions.Options{
Domain: setting.HTTPDomain(),
Path: path, Path: path,
MaxAge: maxAge, MaxAge: maxAge,
HttpOnly: httpOnly, HttpOnly: httpOnly,

@ -37,14 +37,19 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
if uname != nil { if uname != nil {
username = uname.(string) username = uname.(string)
log.Debug("Refreshing session cookie", "username", username, "module", "middleware") // nolint:goconst
log.Info("Refreshing session cookie", "username", username,
"module", "middleware",
"maxAge", setting.SessionMaxAge(),
"secure", c.Request().URL.Scheme == "https",
"domain", setting.HTTPDomain)
refreshSession( refreshSession(
sess, sess,
"/", "/",
setting.SessionMaxAge(), setting.SessionMaxAge(),
true, true,
c.Request().URL.Scheme == "https", //nolint:goconst c.Request().URL.Scheme == "https", // nolint:goconst
http.SameSiteStrictMode, http.SameSiteStrictMode,
) )