New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SameSite cookie configuration value for session cookie #339
Add SameSite cookie configuration value for session cookie #339
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @pgroudas, thanks for raising the PR! Looks good to me in general, very clean code!
I've added one potential improvement as a suggestion below, let me know what you think 😄
case "none": | ||
return http.SameSiteNoneMode | ||
default: | ||
return http.SameSiteDefaultMode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if the default should be a panic
to guard against future changes to the flag checking that might break the functionality?
...
case "":
return http.SameSiteDefaultMode
default:
panic(fmt.Sprintf("Invalid value for SameSite: %s", v))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, done!
Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @pgroudas!
@JoelSpeed when do you think it can be expected to be released? the last released version 4.1.0 doesn't have this flag yet, I have to use |
however It works for me perfectly on v4.1.0-37-gd9362d3, will comment it in #362 as well |
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.
Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.
See: https://www.owasp.org/index.php/SameSite
Description
This extends the configuration options to add an additional field for COOKIE_SAMESITE
which will be propagated into options used to configure the authentication / session cookie.
If not provided, this will be set to the value of http.SameSiteDefaultMode, which is effectively
the same behavior as before this change.
However, this now allows a user to opt into using SameSiteLaxMode, SameSiteStrictMode,
or SameSiteNoneMode.
Motivation and Context
This change improves security of proxied services by preventing CSRF attacks.
See: See: https://www.owasp.org/index.php/SameSite
How Has This Been Tested?
Unit tests have been updated to verify the additional field on the session cookie.
The SameSite cookie attribute has been verified in debug tools in chrome.
Checklist: