improvement (cookie): leverage the 'SameSite' attribute

2025-11-02 11:57:04 +08:00 · 2018-12-19 21:13:08 +11:00
parent 1d5d836caa
commit e1b0eab5e1
3 changed files with 5 additions and 2 deletions
--- a/server/ctrl/admin.go
+++ b/server/ctrl/admin.go
@ -67,6 +67,7 @@ func AdminSessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Reques
 		Value:  obfuscate,
 		Path:   COOKIE_PATH_ADMIN,
 		MaxAge: 60*60, // valid for 1 hour
+		SameSite: http.SameSiteStrictMode,
 	})
 	SendSuccessResult(res, true)
 }
--- a/server/ctrl/session.go
+++ b/server/ctrl/session.go
@ -80,6 +80,7 @@ func SessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Request) {
 		MaxAge:   60 * 60 * 24 * 30,
 		Path:     COOKIE_PATH,
 		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	}
 	http.SetCookie(res, &cookie)

@ -101,14 +102,14 @@ func SessionLogout(ctx App, res http.ResponseWriter, req *http.Request) {
 	http.SetCookie(res, &http.Cookie{
 		Name:   COOKIE_NAME_AUTH,
 		Value:  "",
-		Path:   COOKIE_PATH,
 		MaxAge: -1,
+		Path:   COOKIE_PATH,
 	})
 	http.SetCookie(res, &http.Cookie{
 		Name:   COOKIE_NAME_ADMIN,
 		Value:  "",
-		Path:   COOKIE_PATH_ADMIN,
 		MaxAge: -1,
+		Path:   COOKIE_PATH_ADMIN,
 	})
 	SendSuccessResult(res, nil)
 }
--- a/server/ctrl/share.go
+++ b/server/ctrl/share.go
@ -197,6 +197,7 @@ func ShareVerifyProof(ctx App, res http.ResponseWriter, req *http.Request) {
 		Path: COOKIE_PATH,
 		MaxAge: 60 * 60 * 24 * 30,
 		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	}
 	http.SetCookie(res, &cookie)