From 0782b3b0fae8eca61ba606a07ede959b9a960343 Mon Sep 17 00:00:00 2001 From: Jens L Date: Sat, 5 Aug 2023 22:09:27 +0200 Subject: [PATCH] =?UTF-8?q?providers/proxy:=20set=20outpost=20session=20co?= =?UTF-8?q?okie=20to=20httponly=20and=20secure=20wh=E2=80=A6=20(#6482)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * providers/proxy: set outpost session cookie to httponly and secure when possible Signed-off-by: Jens Langhammer * set samesite too Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- internal/outpost/proxyv2/application/session.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go index e97c581e6..a6c36ae73 100644 --- a/internal/outpost/proxyv2/application/session.go +++ b/internal/outpost/proxyv2/application/session.go @@ -3,6 +3,7 @@ package application import ( "fmt" "math" + "net/http" "net/url" "os" "path" @@ -37,7 +38,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL) rs.SetMaxLength(math.MaxInt) rs.SetKeyPrefix(RedisKeyPrefix) + rs.Options.HttpOnly = true + if strings.ToLower(externalHost.Scheme) == "https" { + rs.Options.Secure = true + } rs.Options.Domain = *p.CookieDomain + rs.Options.SameSite = http.SameSiteLaxMode a.log.Trace("using redis session backend") return rs } @@ -51,7 +57,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL) // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk cs.MaxLength(math.MaxInt) + cs.Options.HttpOnly = true + if strings.ToLower(externalHost.Scheme) == "https" { + cs.Options.Secure = true + } cs.Options.Domain = *p.CookieDomain + cs.Options.SameSite = http.SameSiteLaxMode a.log.WithField("dir", dir).Trace("using filesystem session backend") return cs }