From 3f20e1fea7a04432fdb5e7abfd41dbbad7efd2d6 Mon Sep 17 00:00:00 2001 From: Daniel Cormier Date: Wed, 25 Mar 2020 16:50:07 -0400 Subject: [PATCH] Allows configuring SameSite for session cookie Fixes #275 --- go.sum | 6 ------ samlsp/new.go | 3 ++- samlsp/session_cookie.go | 2 ++ 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/go.sum b/go.sum index c7fd1bc0..456e60ab 100644 --- a/go.sum +++ b/go.sum @@ -12,8 +12,6 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -27,10 +25,6 @@ github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 h1:J4AOUc github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7/go.mod h1:Oz4y6ImuOQZxynhbSXk7btjEfNBtGlj2dcaOvXl2FSM= github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.0 h1:DMOzIV76tmoDNE9pX6RSN0aDtCYeCg5VueieJaAo1uw= -github.com/stretchr/testify v1.5.0/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5 h1:mXV20Aj/BdWrlVzIn1kXFa+Tq62INlUi0cFFlztTaK0= diff --git a/samlsp/new.go b/samlsp/new.go index 451a65aa..6bc99c99 100644 --- a/samlsp/new.go +++ b/samlsp/new.go @@ -23,6 +23,7 @@ type Options struct { AllowIDPInitiated bool IDPMetadata *saml.EntityDescriptor ForceAuthn bool // TODO(ross): this should be *bool + CookieSameSite http.SameSite // The following fields exist <= 0.3.0, but are superceded by the new // SessionProvider and RequestTracker interfaces. @@ -38,7 +39,6 @@ type Options struct { // DefaultSessionCodec returns the default SessionCodec for the provided options, // a JWTSessionCodec configured to issue signed tokens. func DefaultSessionCodec(opts Options) JWTSessionCodec { - // for backwards compatibility, support CookieMaxAge maxAge := defaultSessionMaxAge if opts.CookieMaxAge > 0 { @@ -87,6 +87,7 @@ func DefaultSessionProvider(opts Options) CookieSessionProvider { MaxAge: maxAge, HTTPOnly: true, Secure: cookieSecure, + SameSite: opts.CookieSameSite, Codec: DefaultSessionCodec(opts), } } diff --git a/samlsp/session_cookie.go b/samlsp/session_cookie.go index 6aa3b553..996406c0 100644 --- a/samlsp/session_cookie.go +++ b/samlsp/session_cookie.go @@ -19,6 +19,7 @@ type CookieSessionProvider struct { Domain string HTTPOnly bool Secure bool + SameSite http.SameSite MaxAge time.Duration Codec SessionCodec } @@ -49,6 +50,7 @@ func (c CookieSessionProvider) CreateSession(w http.ResponseWriter, r *http.Requ MaxAge: int(c.MaxAge.Seconds()), HttpOnly: c.HTTPOnly, Secure: c.Secure || r.URL.Scheme == "https", + SameSite: c.SameSite, Path: "/", }) return nil