From 630f28d9e5ebd2b188caf2d643952beeff7e1b93 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 28 Apr 2020 14:32:30 -0700 Subject: [PATCH] #210 set session cookie SameSite --- handlers/handlers.go | 1 + pkg/cookie/cookie.go | 37 ++++++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/handlers/handlers.go b/handlers/handlers.go index 0d2bb9ea..04113a62 100644 --- a/handlers/handlers.go +++ b/handlers/handlers.go @@ -71,6 +71,7 @@ func Configure() { sessstore = sessions.NewCookieStore([]byte(cfg.Cfg.Session.Key)) sessstore.Options.HttpOnly = cfg.Cfg.Cookie.HTTPOnly sessstore.Options.Secure = cfg.Cfg.Cookie.Secure + sessstore.Options.SameSite = cookie.SameSite() log.Debugf("handlers.Configure() attempting to parse templates with cfg.RootDir: %s", cfg.RootDir) indexTemplate = template.Must(template.ParseFiles(filepath.Join(cfg.RootDir, "templates/index.tmpl"))) diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go index e835be95..fe0f6f07 100644 --- a/pkg/cookie/cookie.go +++ b/pkg/cookie/cookie.go @@ -37,21 +37,7 @@ func setCookie(w http.ResponseWriter, r *http.Request, val string, maxAge int) { domain = cfg.Cfg.Cookie.Domain log.Debugf("setting the cookie domain to %v", domain) } - - sameSite := http.SameSite(0) - if cfg.Cfg.Cookie.SameSite != "" { - switch strings.ToLower(cfg.Cfg.Cookie.SameSite) { - case "lax": - sameSite = http.SameSiteLaxMode - case "strict": - sameSite = http.SameSiteStrictMode - case "none": - if cfg.Cfg.Cookie.Secure == false { - log.Error("SameSite cookie attribute with sameSite=none should also be specified with secure=true.") - } - sameSite = http.SameSiteNoneMode - } - } + sameSite := SameSite() cookie := http.Cookie{ Name: cfg.Cfg.Cookie.Name, @@ -177,6 +163,27 @@ func ClearCookie(w http.ResponseWriter, r *http.Request) { } } +// SameSite return cfg.Cfg.Cookie.SameSite as http.Samesite +// if cfg.Cfg.Cookie.SameSite is unconfigured return http.SameSite(0) +// see https://github.com/vouch/vouch-proxy/issues/210 +func SameSite() http.SameSite { + sameSite := http.SameSite(0) + if cfg.Cfg.Cookie.SameSite != "" { + switch strings.ToLower(cfg.Cfg.Cookie.SameSite) { + case "lax": + sameSite = http.SameSiteLaxMode + case "strict": + sameSite = http.SameSiteStrictMode + case "none": + if cfg.Cfg.Cookie.Secure == false { + log.Error("SameSite cookie attribute with sameSite=none should also be specified with secure=true.") + } + sameSite = http.SameSiteNoneMode + } + } + return sameSite +} + // splitCookie separate string into several strings of specified length func splitCookie(longString string, maxLen int) []string { splits := make([]string, 0)