Skip to content

Commit

Permalink
saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (
Browse files Browse the repository at this point in the history 
…#116)
  • Loading branch information
@dustin-decker @crewjam
dustin-decker authored and crewjam committed Sep 25, 2017
1 parent 50777a1 commit bb12e77
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 9 deletions.
3 changes: 2 additions & 1 deletion samlidp/session.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.Id
Name: "session",
Value: session.ID,
MaxAge: int(sessionMaxAge.Seconds()),
HttpOnly: false,
HttpOnly: true,
Secure: r.URL.Scheme == "https",
Path: "/",
})
return session
Expand Down
2 changes: 1 addition & 1 deletion samlidp/session_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func (test *ServerTest) TestSessionsCrud(c *C) {
r.Header.Set("Content-type", "application/x-www-form-urlencoded")
test.Server.ServeHTTP(w, r)
c.Assert(w.Code, Equals, http.StatusOK)
c.Assert(w.Header().Get("Set-Cookie"), Equals, "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600")
c.Assert(w.Header().Get("Set-Cookie"), Equals, "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600; HttpOnly; Secure")
c.Assert(string(w.Body.Bytes()), Equals,
"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\"}\n")

Expand Down
6 changes: 4 additions & 2 deletions samlsp/middleware.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,8 @@ func (m *Middleware) RequireAccount(handler http.Handler) http.Handler {
Name: fmt.Sprintf("saml_%s", relayState),
Value: signedState,
MaxAge: int(saml.MaxIssueDelay.Seconds()),
HttpOnly: false,
HttpOnly: true,
Secure: r.URL.Scheme == "https",
Path: m.ServiceProvider.AcsURL.Path,
})

Expand Down Expand Up @@ -281,7 +282,8 @@ func (m *Middleware) Authorize(w http.ResponseWriter, r *http.Request, assertion
Domain: m.CookieDomain,
Value: signedToken,
MaxAge: int(m.CookieMaxAge.Seconds()),
HttpOnly: false,
HttpOnly: true,
Secure: r.URL.Scheme == "https",
Path: "/",
})

Expand Down
10 changes: 5 additions & 5 deletions samlsp/middleware_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ func (test *MiddlewareTest) TestRequireAccountNoCreds(c *C) {
c.Assert(resp.Header().Get("Set-Cookie"), Equals,
"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
"; Path=/saml2/acs; Max-Age=90")
"; Path=/saml2/acs; Max-Age=90; HttpOnly")

redirectURL, err := url.Parse(resp.Header().Get("Location"))
c.Assert(err, IsNil)
Expand All @@ -166,7 +166,7 @@ func (test *MiddlewareTest) TestRequireAccountNoCredsPostBinding(c *C) {
c.Assert(resp.Header().Get("Set-Cookie"), Equals,
"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
"; Path=/saml2/acs; Max-Age=90")
"; Path=/saml2/acs; Max-Age=90; HttpOnly")
c.Assert(string(resp.Body.Bytes()), Equals, ""+
"<!DOCTYPE html>"+
"<html>"+
Expand Down Expand Up @@ -259,7 +259,7 @@ func (test *MiddlewareTest) TestRequireAccountBadCreds(c *C) {
c.Assert(resp.Header().Get("Set-Cookie"), Equals,
"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
"; Path=/saml2/acs; Max-Age=90")
"; Path=/saml2/acs; Max-Age=90; HttpOnly")
redirectURL, err := url.Parse(resp.Header().Get("Location"))
c.Assert(err, IsNil)
decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
Expand Down Expand Up @@ -290,7 +290,7 @@ func (test *MiddlewareTest) TestRequireAccountExpiredCreds(c *C) {
c.Assert(resp.Header().Get("Set-Cookie"), Equals,
"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImlkLTAwMDIwNDA2MDgwYTBjMGUxMDEyMTQxNjE4MWExYzFlMjAyMjI0MjYiLCJ1cmkiOiIvZnJvYiJ9.7f-xjK5ZzpP_51YL4aPQSQcIBKKCRb_j6CE9pZieJG0"+
"; Path=/saml2/acs; Max-Age=90")
"; Path=/saml2/acs; Max-Age=90; HttpOnly")

redirectURL, err := url.Parse(resp.Header().Get("Location"))
c.Assert(err, IsNil)
Expand Down Expand Up @@ -412,7 +412,7 @@ func (test *MiddlewareTest) TestCanParseResponse(c *C) {
c.Assert(resp.Header()["Set-Cookie"], DeepEquals, []string{
"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
"ttt=" + expectedToken + "; " +
"Path=/; Max-Age=7200",
"Path=/; Max-Age=7200; HttpOnly",
})
}

Expand Down

0 comments on commit bb12e77

Please sign in to comment.