providers/proxy: set outpost session cookie to httponly and secure wh… (#6482)

* providers/proxy: set outpost session cookie to httponly and secure when possible

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set samesite too

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-08-05 22:09:27 +02:00 committed by GitHub
parent 06091364fc
commit 0782b3b0fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions

View File

@ -3,6 +3,7 @@ package application
import (
"fmt"
"math"
"net/http"
"net/url"
"os"
"path"
@ -37,7 +38,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
rs.SetMaxLength(math.MaxInt)
rs.SetKeyPrefix(RedisKeyPrefix)
rs.Options.HttpOnly = true
if strings.ToLower(externalHost.Scheme) == "https" {
rs.Options.Secure = true
}
rs.Options.Domain = *p.CookieDomain
rs.Options.SameSite = http.SameSiteLaxMode
a.log.Trace("using redis session backend")
return rs
}
@ -51,7 +57,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
cs.MaxLength(math.MaxInt)
cs.Options.HttpOnly = true
if strings.ToLower(externalHost.Scheme) == "https" {
cs.Options.Secure = true
}
cs.Options.Domain = *p.CookieDomain
cs.Options.SameSite = http.SameSiteLaxMode
a.log.WithField("dir", dir).Trace("using filesystem session backend")
return cs
}