fix some auth/cookie weirdness

2025-12-19 01:33:00 -06:00 · 2021-07-08 11:18:38 +02:00 · 2021-07-08 11:18:38 +02:00 · ec9974844c
commit ec9974844c
parent e3ca835ff6
4 changed files with 63 additions and 28 deletions
--- a/internal/router/session.go
+++ b/internal/router/session.go
@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
+	"net/http"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
@ -63,6 +64,14 @@ func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error {
 	}

 	store := memstore.NewStore(rs.Auth, rs.Crypt)
+	store.Options(sessions.Options{
+		Path:     "/",
+		Domain:   cfg.Host,
+		MaxAge:   120,                     // 2 minutes
+		Secure:   true,                    // only use cookie over https
+		HttpOnly: true,                    // exclude javascript from inspecting cookie
+		SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+	})
 	sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host)
 	engine.Use(sessions.Sessions(sessionName, store))
 	return nil