diff options
| author | zeripath <art27@cantab.net> | 2021-03-07 08:12:43 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-07 08:12:43 +0000 |
| commit | 9b261f52f074fcc11fd705dae63084364c4f7adf (patch) | |
| tree | 587521b6929105a76b288a962316504380c1c494 /modules/context/auth.go | |
| parent | beed5476e2831f7a0943d484873f4f49dfdd256f (diff) | |
| download | gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.tar.gz gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.zip | |
Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default.
There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR.
Fix #5583
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/context/auth.go')
| -rw-r--r-- | modules/context/auth.go | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/context/auth.go b/modules/context/auth.go index 8be6ed1907..3b4d7fc595 100644 --- a/modules/context/auth.go +++ b/modules/context/auth.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/web/middleware" ) // ToggleOptions contains required or check options @@ -41,7 +42,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) { ctx.Data["Title"] = ctx.Tr("auth.must_change_password") ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password" if ctx.Req.URL.Path != "/user/events" { - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) + middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI()) } ctx.Redirect(setting.AppSubURL + "/user/settings/change_password") return @@ -69,7 +70,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) { if options.SignInRequired { if !ctx.IsSigned { if ctx.Req.URL.Path != "/user/events" { - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) + middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI()) } ctx.Redirect(setting.AppSubURL + "/user/login") return @@ -84,7 +85,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) { if !options.SignOutRequired && !ctx.IsSigned && len(ctx.GetCookie(setting.CookieUserName)) > 0 { if ctx.Req.URL.Path != "/user/events" { - ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL) + middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI()) } ctx.Redirect(setting.AppSubURL + "/user/login") return |