fix: make session cookie Secure attribute optional for HTTP/LAN dev
This commit is contained in:
+10
-2
@@ -2,19 +2,27 @@ package auth
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SetSessionCookie writes the session cookie with secure defaults.
|
// SetSessionCookie writes the session cookie with secure defaults.
|
||||||
// Shared by password login, registration, and WebAuthn login.
|
// Shared by password login, registration, and WebAuthn login.
|
||||||
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
|
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
|
||||||
|
secure := os.Getenv("COOKIE_SECURE") == "true"
|
||||||
|
|
||||||
|
sameSite := http.SameSiteLaxMode
|
||||||
|
if secure {
|
||||||
|
sameSite = http.SameSiteStrictMode
|
||||||
|
}
|
||||||
|
|
||||||
http.SetCookie(w, &http.Cookie{
|
http.SetCookie(w, &http.Cookie{
|
||||||
Name: cookieName,
|
Name: cookieName,
|
||||||
Value: token,
|
Value: token,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
Secure: true,
|
Secure: secure,
|
||||||
SameSite: http.SameSiteStrictMode,
|
SameSite: sameSite,
|
||||||
MaxAge: int(duration.Seconds()),
|
MaxAge: int(duration.Seconds()),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user