From b4bd2b35e22e84520ed8ffc0fe31e3897ac017d8 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Tue, 24 Aug 2021 21:26:16 +0200
Subject: [PATCH] add HttpOnly and Secure flag to cookie store (#39)

---
 internal/server/server.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/internal/server/server.go b/internal/server/server.go
index 635819e..8480d70 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -116,7 +116,16 @@ func (s *Server) Setup(ctx context.Context) error {
 		s.server.Use(ginlogrus.Logger(logrus.StandardLogger()))
 	}
 	s.server.Use(gin.Recovery())
-	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))
+
+	// Authentication cookies
+	cookieStore := memstore.NewStore([]byte(s.config.Core.SessionSecret))
+	cookieStore.Options(sessions.Options{
+		Path:     "/",
+		MaxAge:   86400, // auth session is valid for 1 day
+		Secure:   strings.HasPrefix(s.config.Core.ExternalUrl, "https"),
+		HttpOnly: true,
+	})
+	s.server.Use(sessions.Sessions("authsession", cookieStore))
 	s.server.SetFuncMap(template.FuncMap{
 		"formatBytes": common.ByteCountSI,
 		"urlEncode":   url.QueryEscape,