Skip to content

Commit

Permalink
fix: enable Secure when using TLS and enable HttpOnly (#24524) (#24526)
Browse files Browse the repository at this point in the history
Set the HttpOnly and, when TLS is enabled,
Secure flags on cookies

closes: #24522

(cherry picked from commit 8e8700f)

closes #24523
  • Loading branch information
davidby-influx authored Dec 20, 2023
1 parent 535e869 commit 66ebe36
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 3 deletions.
6 changes: 4 additions & 2 deletions session/http_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ func (h *SessionHandler) handleSignin(w http.ResponseWriter, r *http.Request) {
return
}

encodeCookieSession(w, s)
encodeCookieSession(w, s, (r != nil) && (r.TLS != nil))
w.WriteHeader(http.StatusNoContent)
}

Expand Down Expand Up @@ -163,7 +163,7 @@ func decodeSignoutRequest(ctx context.Context, r *http.Request) (*signoutRequest

const cookieSessionName = "influxdb-oss-session"

func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) {
func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled bool) {
// We only need the session cookie for accesses to "/api/...", so limit
// it to that using "Path".
//
Expand Down Expand Up @@ -208,6 +208,8 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) {
Path: "/api/", // since UI doesn't need it, limit cookie usage to API requests
Expires: s.ExpiresAt,
SameSite: http.SameSiteStrictMode,
HttpOnly: true,
Secure: tlsEnabled,
}

http.SetCookie(w, c)
Expand Down
2 changes: 1 addition & 1 deletion session/http_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func TestSessionHandler_handleSignin(t *testing.T) {
password: "supersecret",
},
wants: wants{
cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; SameSite=Strict",
cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; HttpOnly; SameSite=Strict",
code: http.StatusNoContent,
},
},
Expand Down

0 comments on commit 66ebe36

Please sign in to comment.