#210 set session cookie SameSite

vouch · Apr 28, 2020 · 630f28d · 630f28d
1 parent 399ea5e
commit 630f28d
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 15 deletions.
diff --git a/handlers/handlers.go b/handlers/handlers.go
@@ -71,6 +71,7 @@ func Configure() {
 	sessstore = sessions.NewCookieStore([]byte(cfg.Cfg.Session.Key))
 	sessstore.Options.HttpOnly = cfg.Cfg.Cookie.HTTPOnly
 	sessstore.Options.Secure = cfg.Cfg.Cookie.Secure
+	sessstore.Options.SameSite = cookie.SameSite()
 
 	log.Debugf("handlers.Configure() attempting to parse templates with cfg.RootDir: %s", cfg.RootDir)
 	indexTemplate = template.Must(template.ParseFiles(filepath.Join(cfg.RootDir, "templates/index.tmpl")))

diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go
@@ -37,21 +37,7 @@ func setCookie(w http.ResponseWriter, r *http.Request, val string, maxAge int) {
 		domain = cfg.Cfg.Cookie.Domain
 		log.Debugf("setting the cookie domain to %v", domain)
 	}
-
-	sameSite := http.SameSite(0)
-	if cfg.Cfg.Cookie.SameSite != "" {
-		switch strings.ToLower(cfg.Cfg.Cookie.SameSite) {
-		case "lax":
-			sameSite = http.SameSiteLaxMode
-		case "strict":
-			sameSite = http.SameSiteStrictMode
-		case "none":
-			if cfg.Cfg.Cookie.Secure == false {
-				log.Error("SameSite cookie attribute with sameSite=none should also be specified with secure=true.")
-			}
-			sameSite = http.SameSiteNoneMode
-		}
-	}
+	sameSite := SameSite()
 
 	cookie := http.Cookie{
 		Name:     cfg.Cfg.Cookie.Name,
@@ -177,6 +163,27 @@ func ClearCookie(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// SameSite return cfg.Cfg.Cookie.SameSite as http.Samesite
+// if cfg.Cfg.Cookie.SameSite is unconfigured return http.SameSite(0)
+// see https://github.com/vouch/vouch-proxy/issues/210
+func SameSite() http.SameSite {
+	sameSite := http.SameSite(0)
+	if cfg.Cfg.Cookie.SameSite != "" {
+		switch strings.ToLower(cfg.Cfg.Cookie.SameSite) {
+		case "lax":
+			sameSite = http.SameSiteLaxMode
+		case "strict":
+			sameSite = http.SameSiteStrictMode
+		case "none":
+			if cfg.Cfg.Cookie.Secure == false {
+				log.Error("SameSite cookie attribute with sameSite=none should also be specified with secure=true.")
+			}
+			sameSite = http.SameSiteNoneMode
+		}
+	}
+	return sameSite
+}
+
 // splitCookie separate string into several strings of specified length
 func splitCookie(longString string, maxLen int) []string {
 	splits := make([]string, 0)