Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: enable HttpOnly and Secure using TLS #24524

Merged
merged 4 commits into from
Dec 20, 2023
Merged

fix: enable HttpOnly and Secure using TLS #24524

merged 4 commits into from
Dec 20, 2023

Conversation

davidby-influx
Copy link
Contributor

When TLS is enabled, set the HttpOnly and
Secure flags when a cookie is created.

closes: #24522

@davidby-influx
fix: enable HttpOnly and Secure using TLS
e5b864a 
When TLS is enabled, set the HttpOnly and
Secure flags when a cookie is created.

closes: #24522
@davidby-influx davidby-influx self-assigned this Dec 20, 2023
jdstrand
jdstrand reviewed Dec 20, 2023
View reviewed changes
session/http_server.go Outdated
@@ -208,6 +208,8 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) {
Path: "/api/", // since UI doesn't need it, limit cookie usage to API requests
Expires: s.ExpiresAt,
SameSite: http.SameSiteStrictMode,
HttpOnly: tlsEnabled,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the patch! HttpOnly should be set regardless of tlsEnabled (we can still help guard against XSS when not using TLS after all).

@davidby-influx davidby-influx merged commit 8e8700f into main-2.x Dec 20, 2023
26 checks passed
@davidby-influx davidby-influx deleted the DSB_secure_cookie_main-2.x branch December 20, 2023 19:49
davidby-influx added a commit that referenced this pull request Dec 20, 2023
@davidby-influx
fix: enable Secure when using TLS and enable HttpOnly (#24524)
c84711f 
Set the HttpOnly and, when TLS is enabled,
Secure flags on cookies

closes: #24522

(cherry picked from commit 8e8700f)

closes #24523
davidby-influx added a commit that referenced this pull request Dec 20, 2023
@davidby-influx
fix: enable Secure when using TLS and enable HttpOnly (#24524) (#24526)
66ebe36 
Set the HttpOnly and, when TLS is enabled,
Secure flags on cookies

closes: #24522

(cherry picked from commit 8e8700f)

closes #24523
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdstrand jdstrand jdstrand left review comments

@jeffreyssmith2nd jeffreyssmith2nd jeffreyssmith2nd approved these changes

@gwossum gwossum Awaiting requested review from gwossum

Assignees

@davidby-influx davidby-influx

Labels
area/api area/2.x OSS 2.0 related issues and PRs kind/bug security team/edge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidby-influx @jdstrand @jeffreyssmith2nd