-
Notifications
You must be signed in to change notification settings - Fork 0
/
cookie_options.go
89 lines (79 loc) · 2.39 KB
/
cookie_options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package possessions
import (
"net/http"
"time"
)
// CookieOptions for the session cookies themselves.
// See https://tools.ietf.org/html/rfc6265 for details.
type CookieOptions struct {
// Domain is the domain name the cookie is for
Domain string
// Path is the URI path the cookie is for
Path string
// Name for the session cookie, defaults to "id"
Name string
// MaxAge sets the max-age and the expires fields of a cookie
// A value of 0 means the browser will expire the session on browser close
MaxAge time.Duration
// Secure ensures the cookie is only given on https connections
Secure bool
// HTTPOnly means the browser will never allow JS to touch this cookie
HTTPOnly bool
// SameSite allows you to declare if your cookie should be restricted to a first-party or same-site context
SameSite http.SameSite
}
// NewCookieOptions gives healthy defaults for session cookies
func NewCookieOptions() CookieOptions {
return CookieOptions{
Name: "id",
Path: "/",
MaxAge: 0,
Secure: true,
HTTPOnly: true,
SameSite: http.SameSiteDefaultMode,
}
}
func (c CookieOptions) makeCookie(value string) *http.Cookie {
cookie := &http.Cookie{
Domain: c.Domain,
Path: c.Path,
Name: c.Name,
Value: value,
MaxAge: int(c.MaxAge.Seconds()),
HttpOnly: c.HTTPOnly,
Secure: c.Secure,
SameSite: c.SameSite,
}
if c.MaxAge != 0 {
cookie.Expires = time.Now().UTC().Add(c.MaxAge)
}
return cookie
}
// deleteCookie sets the cookie to a deleted value to force the client to delete
func (c CookieOptions) deleteCookie(w http.ResponseWriter) {
cookie := &http.Cookie{
// If the browser refuses to delete it, set value to "" so subsequent
// requests replace it when it does not point to a valid session id.
Path: c.Path,
Domain: c.Domain,
Value: "",
Name: c.Name,
MaxAge: -1,
Expires: time.Now().UTC().AddDate(-1, 0, 0),
HttpOnly: c.HTTPOnly,
Secure: c.Secure,
SameSite: c.SameSite,
}
http.SetCookie(w, cookie)
}
// getCookieValue returns the cookie value (usually the ID of the session)
// stored in the cookies cache. If it does not exist in the cookies cache
// it will attempt to fetch it from the request headers.
// If this fails it will return nil.
func (c CookieOptions) getCookieValue(r *http.Request) (string, error) {
reqCookie, err := r.Cookie(c.Name)
if err != nil {
return "", errNoSession{}
}
return reqCookie.Value, nil
}