Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: remove login session cookie #3667

Merged
merged 3 commits into from
Nov 15, 2023
Merged

Conversation

hperl
Copy link
Contributor

@hperl hperl commented Nov 14, 2023

Related issue(s)

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

@hperl hperl requested a review from aeneasr as a code owner November 14, 2023 12:53
@hperl hperl force-pushed the hperl/remove-login-session-cookie branch from 0204c18 to 4855724 Compare November 14, 2023 12:54
Copy link

codecov bot commented Nov 14, 2023

Codecov Report

Attention: 10 lines in your changes are missing coverage. Please review.

Comparison is base (f0501d2) 76.15% compared to head (5cc8fa8) 75.90%.
Report is 5 commits behind head on master.

❗ Current head 5cc8fa8 differs from pull request most recent head e2922c4. Consider uploading reports for the commit e2922c4 to get more accurate results

Files Patch % Lines
consent/csrf.go 84.84% 2 Missing and 3 partials ⚠️
consent/strategy_default.go 78.57% 2 Missing and 1 partial ⚠️
persistence/sql/persister_consent.go 94.59% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3667      +/-   ##
==========================================
- Coverage   76.15%   75.90%   -0.26%     
==========================================
  Files         133      134       +1     
  Lines       10044    10075      +31     
==========================================
- Hits         7649     7647       -2     
- Misses       1878     1912      +34     
+ Partials      517      516       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hperl hperl force-pushed the hperl/remove-login-session-cookie branch 2 times, most recently from 802ac23 to d5f8aaf Compare November 14, 2023 13:47
@hperl hperl force-pushed the hperl/remove-login-session-cookie branch 4 times, most recently from ea1eb62 to a9f03dc Compare November 14, 2023 14:09
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass - this looks good. Let's see what the CI has to say!

I assume the cookie is still going to be set after the consent challenge has been accepted, correct? It's simply not needed during the login/consent dance (which was previously the case)

persistence/sql/persister_consent.go Show resolved Hide resolved
@hperl hperl force-pushed the hperl/remove-login-session-cookie branch from a9f03dc to dd52765 Compare November 14, 2023 14:25
@hperl
Copy link
Contributor Author

hperl commented Nov 15, 2023

First pass - this looks good. Let's see what the CI has to say!

The CI is very excited about this change ;)

I assume the cookie is still going to be set after the consent challenge has been accepted, correct? It's simply not needed during the login/consent dance (which was previously the case)

Yes, the final session cookie gets written here:

// Not a skipped login and the user asked to remember its session, store a cookie
cookie, _ := store.Get(r, s.c.SessionCookieName(ctx))
cookie.Values[CookieAuthenticationSIDName] = sessionID
if session.RememberFor >= 0 {
cookie.Options.MaxAge = session.RememberFor
}
cookie.Options.HttpOnly = true
cookie.Options.Path = s.c.SessionCookiePath(ctx)
cookie.Options.SameSite = s.c.CookieSameSiteMode(ctx)
cookie.Options.Secure = s.c.CookieSecure(ctx)
if err := cookie.Save(r, w); err != nil {
return nil, errorsx.WithStack(err)
}

@aeneasr aeneasr merged commit 5f41949 into master Nov 15, 2023
28 checks passed
@aeneasr aeneasr deleted the hperl/remove-login-session-cookie branch November 15, 2023 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants