fix(go): set correct cookie params
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
07d19e6b77
commit
83f0ec7e15
@ -129,12 +129,20 @@ func (a *App) SetServerSettings() {
|
||||
)
|
||||
}
|
||||
|
||||
store.Options.Path = "/"
|
||||
store.Options.Domain = a.setting.HTTPDomain()
|
||||
store.Options.HttpOnly = true
|
||||
store.Options.SameSite = http.SameSiteStrictMode
|
||||
store.Options.Secure = a.setting.HTTPSecure()
|
||||
store.Options.MaxAge = a.setting.SessionMaxAge()
|
||||
|
||||
if a.setting.HTTPSecure() {
|
||||
// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
|
||||
// https://scotthelme.co.uk/tough-cookies/
|
||||
// https://check-your-website.server-daten.de/prefix-cookies.html
|
||||
store.Options.Domain = "__Host-" + store.Options.Domain
|
||||
}
|
||||
|
||||
e.Use(session.Middleware(store))
|
||||
|
||||
e.Use(middleware.Secure())
|
||||
@ -165,6 +173,7 @@ func (a *App) csrfConfig() echo.MiddlewareFunc {
|
||||
CookieHTTPOnly: true,
|
||||
CookieSameSite: http.SameSiteStrictMode,
|
||||
CookieMaxAge: a.setting.SessionMaxAge(),
|
||||
CookiePath: "/",
|
||||
},
|
||||
)
|
||||
}
|
||||
|
@ -114,6 +114,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev
|
||||
s.SetIsLive(conf.LiveMode)
|
||||
s.SetIsDevel(conf.DevelMode)
|
||||
s.SetLoggerIsJSON(conf.Logger.JSON)
|
||||
s.SetSessionMaxAge(conf.Session.MaxAge)
|
||||
s.SetSessionCookieName(conf.Session.CookieName)
|
||||
s.SetSessionCookieAuthSecret(conf.Session.CookieAuthSecret)
|
||||
s.SetSessionCookieEncrSecret(conf.Session.CookieEncrSecret)
|
||||
@ -387,8 +388,12 @@ func (s *Settings) SetSessionCookieEncrSecret(sessionCookieEncrSecret string) {
|
||||
// SetSessionMaxAge sets sessionMaxAge.
|
||||
func (s *Settings) SetSessionMaxAge(sessionMaxAge int) {
|
||||
if sessionMaxAge < 1 {
|
||||
log.Debug("setting cookie max age to the default")
|
||||
|
||||
s.sessionMaxAge = defaultSessionMaxAge
|
||||
} else {
|
||||
log.Debug("setting cookie max age to a config-provided value", "maxAge", sessionMaxAge)
|
||||
|
||||
s.sessionMaxAge = sessionMaxAge
|
||||
}
|
||||
}
|
||||
|
@ -23,6 +23,7 @@ func getUserByID(ctx context.Context, client *ent.Client, id string) (*ent.User,
|
||||
|
||||
func refreshSession(sess *sessions.Session, path string, maxAge int, httpOnly, secure bool, sameSite http.SameSite) {
|
||||
sess.Options = &sessions.Options{
|
||||
Domain: setting.HTTPDomain(),
|
||||
Path: path,
|
||||
MaxAge: maxAge,
|
||||
HttpOnly: httpOnly,
|
||||
|
@ -37,7 +37,12 @@ func MiddlewareSession(next echo.HandlerFunc) echo.HandlerFunc {
|
||||
if uname != nil {
|
||||
username = uname.(string)
|
||||
|
||||
log.Debug("Refreshing session cookie", "username", username, "module", "middleware")
|
||||
// nolint:goconst
|
||||
log.Info("Refreshing session cookie", "username", username,
|
||||
"module", "middleware",
|
||||
"maxAge", setting.SessionMaxAge(),
|
||||
"secure", c.Request().URL.Scheme == "https",
|
||||
"domain", setting.HTTPDomain)
|
||||
|
||||
refreshSession(
|
||||
sess,
|
||||
|
Loading…
Reference in New Issue
Block a user