Make cookies HttpOnly and obey COOKIE_SECURE flag (#4707)
This commit is contained in:
parent
cbe8a1f0e6
commit
052aa54b2b
|
@ -116,12 +116,13 @@ func NewMacaron() *macaron.Macaron {
|
||||||
}))
|
}))
|
||||||
m.Use(session.Sessioner(setting.SessionConfig))
|
m.Use(session.Sessioner(setting.SessionConfig))
|
||||||
m.Use(csrf.Csrfer(csrf.Options{
|
m.Use(csrf.Csrfer(csrf.Options{
|
||||||
Secret: setting.SecretKey,
|
Secret: setting.SecretKey,
|
||||||
Cookie: setting.CSRFCookieName,
|
Cookie: setting.CSRFCookieName,
|
||||||
SetCookie: true,
|
SetCookie: true,
|
||||||
Secure: setting.SessionConfig.Secure,
|
Secure: setting.SessionConfig.Secure,
|
||||||
Header: "X-Csrf-Token",
|
CookieHttpOnly: true,
|
||||||
CookiePath: setting.AppSubURL,
|
Header: "X-Csrf-Token",
|
||||||
|
CookiePath: setting.AppSubURL,
|
||||||
}))
|
}))
|
||||||
m.Use(toolbox.Toolboxer(m, toolbox.Options{
|
m.Use(toolbox.Toolboxer(m, toolbox.Options{
|
||||||
HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
|
HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
|
||||||
|
|
|
@ -56,8 +56,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
||||||
defer func() {
|
defer func() {
|
||||||
if !isSucceed {
|
if !isSucceed {
|
||||||
log.Trace("auto-login cookie cleared: %s", uname)
|
log.Trace("auto-login cookie cleared: %s", uname)
|
||||||
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -77,7 +77,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
||||||
isSucceed = true
|
isSucceed = true
|
||||||
ctx.Session.Set("uid", u.ID)
|
ctx.Session.Set("uid", u.ID)
|
||||||
ctx.Session.Set("uname", u.Name)
|
ctx.Session.Set("uname", u.Name)
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -91,13 +91,13 @@ func checkAutoLogin(ctx *context.Context) bool {
|
||||||
|
|
||||||
redirectTo := ctx.Query("redirect_to")
|
redirectTo := ctx.Query("redirect_to")
|
||||||
if len(redirectTo) > 0 {
|
if len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
} else {
|
} else {
|
||||||
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
|
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
|
||||||
}
|
}
|
||||||
|
|
||||||
if isSucceed {
|
if isSucceed {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
|
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
@ -438,9 +438,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
|
||||||
func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
|
func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
|
||||||
if remember {
|
if remember {
|
||||||
days := 86400 * setting.LogInRememberDays
|
days := 86400 * setting.LogInRememberDays
|
||||||
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
|
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
||||||
setting.CookieRememberName, u.Name, days, setting.AppSubURL)
|
setting.CookieRememberName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Session.Delete("openid_verified_uri")
|
ctx.Session.Delete("openid_verified_uri")
|
||||||
|
@ -464,10 +464,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL)
|
ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
|
|
||||||
// Clear whatever CSRF has right now, force to generate a new one
|
// Clear whatever CSRF has right now, force to generate a new one
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
|
|
||||||
// Register last login
|
// Register last login
|
||||||
u.SetLastLogin()
|
u.SetLastLogin()
|
||||||
|
@ -477,7 +477,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
||||||
}
|
}
|
||||||
|
|
||||||
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
|
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
if obeyRedirect {
|
if obeyRedirect {
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
}
|
}
|
||||||
|
@ -558,7 +558,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
|
||||||
ctx.Session.Set("uname", u.Name)
|
ctx.Session.Set("uname", u.Name)
|
||||||
|
|
||||||
// Clear whatever CSRF has right now, force to generate a new one
|
// Clear whatever CSRF has right now, force to generate a new one
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
|
|
||||||
// Register last login
|
// Register last login
|
||||||
u.SetLastLogin()
|
u.SetLastLogin()
|
||||||
|
@ -568,7 +568,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
|
||||||
}
|
}
|
||||||
|
|
||||||
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
|
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -844,10 +844,10 @@ func SignOut(ctx *context.Context) {
|
||||||
ctx.Session.Delete("socialId")
|
ctx.Session.Delete("socialId")
|
||||||
ctx.Session.Delete("socialName")
|
ctx.Session.Delete("socialName")
|
||||||
ctx.Session.Delete("socialEmail")
|
ctx.Session.Delete("socialEmail")
|
||||||
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL)
|
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.SetCookie("lang", "", -1, setting.AppSubURL) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
|
ctx.SetCookie("lang", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
|
||||||
ctx.Redirect(setting.AppSubURL + "/")
|
ctx.Redirect(setting.AppSubURL + "/")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -44,13 +44,13 @@ func SignInOpenID(ctx *context.Context) {
|
||||||
|
|
||||||
redirectTo := ctx.Query("redirect_to")
|
redirectTo := ctx.Query("redirect_to")
|
||||||
if len(redirectTo) > 0 {
|
if len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
} else {
|
} else {
|
||||||
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
|
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
|
||||||
}
|
}
|
||||||
|
|
||||||
if isSucceed {
|
if isSucceed {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -103,7 +103,7 @@ func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update the language to the one we just set
|
// Update the language to the one we just set
|
||||||
ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL)
|
ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
||||||
|
|
||||||
log.Trace("User settings updated: %s", ctx.User.Name)
|
log.Trace("User settings updated: %s", ctx.User.Name)
|
||||||
ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))
|
ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))
|
||||||
|
|
Loading…
Reference in New Issue