Conditionally set authentication cookie sameSite for training instanc…

…es (#19356) * Conditionally set authentication cookie sameSite value based on config values
Graylog2 · May 17, 2024 · 030114c · 030114c
1 parent 0b664a6
commit 030114c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/graylog2-server/src/main/java/org/graylog2/configuration/HttpConfiguration.java b/graylog2-server/src/main/java/org/graylog2/configuration/HttpConfiguration.java
@@ -86,6 +86,12 @@ public class HttpConfiguration {
     @Parameter(value = "http_allow_embedding")
     private boolean httpAllowEmbedding = false;
 
+    @Parameter(value = "http_cookie_secure_override")
+    private boolean httpCookieSecureOverride = false;
+
+    @Parameter(value = "http_cookie_same_site_strict")
+    private boolean httpCookieSameSiteStrict = true;
+
     public HostAndPort getHttpBindAddress() {
         return httpBindAddress
                 .requireBracketsForIPv6()
@@ -214,6 +220,14 @@ public String getHttpTlsKeyPassword() {
         return httpTlsKeyPassword;
     }
 
+    public boolean getHttpCookieSameSiteStrict() {
+        return httpCookieSameSiteStrict;
+    }
+
+    public boolean getHttpCookieSecureOverride() {
+        return httpCookieSecureOverride;
+    }
+
     public URI getHttpExternalUri() {
         return httpExternalUri == null ? getHttpPublishUri() : httpExternalUri;
     }

diff --git a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/CookieFactory.java b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/CookieFactory.java
@@ -40,10 +40,14 @@ public class CookieFactory {
     private static final String HEADER_X_FORWARDED_PROTO = "X-Forwarded-Proto";
     private static final CharMatcher PATH_MATCHER = ascii().and(isNot(';')).and(javaIsoControl().negate());
     private final URI httpExternalUri;
+    private final boolean httpCookieSecureOverride;
+    private final boolean httpCookieSameSiteStrict;
 
     @Inject
     public CookieFactory(HttpConfiguration httpConfiguration) {
         httpExternalUri = httpConfiguration.getHttpExternalUri();
+        httpCookieSecureOverride = httpConfiguration.getHttpCookieSecureOverride();
+        httpCookieSameSiteStrict = httpConfiguration.getHttpCookieSameSiteStrict();
     }
 
     NewCookie createAuthenticationCookie(SessionResponse token, ContainerRequestContext requestContext) {
@@ -70,9 +74,9 @@ private NewCookie makeCookie(String value, Date validUntil, ContainerRequestCont
                 .path(basePath)
                 .maxAge(maxAge)
                 .expiry(validUntil)
-                .secure(isSecure)
+                .secure(isSecure || httpCookieSecureOverride)
                 .httpOnly(true)
-                .sameSite(NewCookie.SameSite.STRICT)
+                .sameSite(httpCookieSameSiteStrict ? NewCookie.SameSite.STRICT : NewCookie.SameSite.NONE)
                 .build();
     }