providers/proxy: set outpost session cookie to httponly and secure wh… (#6482)

* providers/proxy: set outpost session cookie to httponly and secure when possible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set samesite too

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/proxyv2/application/session.go

@@ -3,6 +3,7 @@ package application
 import (
 	"fmt"
 	"math"
+	"net/http"
 	"net/url"
 	"os"
 	"path"
@@ -37,7 +38,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		rs.SetMaxLength(math.MaxInt)
 		rs.SetKeyPrefix(RedisKeyPrefix)
 
+		rs.Options.HttpOnly = true
+		if strings.ToLower(externalHost.Scheme) == "https" {
+			rs.Options.Secure = true
+		}
 		rs.Options.Domain = *p.CookieDomain
+		rs.Options.SameSite = http.SameSiteLaxMode
 		a.log.Trace("using redis session backend")
 		return rs
 	}
@@ -51,7 +57,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 
 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
 	cs.MaxLength(math.MaxInt)
+	cs.Options.HttpOnly = true
+	if strings.ToLower(externalHost.Scheme) == "https" {
+		cs.Options.Secure = true
+	}
 	cs.Options.Domain = *p.CookieDomain
+	cs.Options.SameSite = http.SameSiteLaxMode
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }