From 8214b1ccc8ebf9710e7d7246075de326cfa913a4 Mon Sep 17 00:00:00 2001 From: Jeremy Yen Date: Thu, 23 Nov 2023 03:54:29 +0800 Subject: [PATCH 1/2] url encode session cookie --- .gitignore | 2 ++ internal/session_cookie.go | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index d6ad7eb..d52bf0a 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ banjax *.tmp tmp logs + +keys diff --git a/internal/session_cookie.go b/internal/session_cookie.go index 855ebc3..5d5a5e7 100644 --- a/internal/session_cookie.go +++ b/internal/session_cookie.go @@ -17,6 +17,7 @@ import ( "fmt" "log" "math/rand" + "net/url" "strconv" "strings" "time" @@ -25,7 +26,7 @@ import ( ) const ( - CookieName = "deflect_session" + SessionCookieName = "deflect_session" ExpireTimeByteLength = 8 IdByteLength = 4 HmacByteLength = 4 @@ -118,15 +119,16 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error { set in the logs: dsc=cookie, dsc_new=False */ clientIp := c.Request.Header.Get("X-Client-IP") - dsc, err := c.Cookie(CookieName) + dsc, err := c.Cookie(SessionCookieName) + urlDecodedDsc, _ := url.QueryUnescape(dsc) if err == nil { // cookie exists, validate it - validateErr := validateSessionCookie(dsc, config.SessionCookieHmacSecret, time.Now(), clientIp) + validateErr := validateSessionCookie(urlDecodedDsc, config.SessionCookieHmacSecret, time.Now(), clientIp) if validateErr == nil { // cookie is valid, do not attach cookie but only report dsc_new=false // fmt.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, dsc) - attachSessionCookie(c, config, dsc, false) + attachSessionCookie(c, config, urlDecodedDsc, false) } else { // cookie is invalid, create a new one newDsc := newSessionCookie(config.SessionCookieHmacSecret, config.SessionCookieTtlSeconds, clientIp) @@ -145,7 +147,8 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error { func attachSessionCookie(c *gin.Context, config *Config, dsc string, dsc_new bool) { if dsc_new { - c.SetCookie(CookieName, dsc, config.SessionCookieTtlSeconds, "/", "", false, true) + urlEncodedDsc := url.QueryEscape(dsc) + c.SetCookie(SessionCookieName, urlEncodedDsc, config.SessionCookieTtlSeconds, "/", "", false, true) } // for nginx log c.Header("X-Deflect-Session", dsc) From ca1756d17810f3510c64534a3353b8a4efb9a661 Mon Sep 17 00:00:00 2001 From: Jeremy Yen Date: Thu, 23 Nov 2023 23:23:14 +0800 Subject: [PATCH 2/2] Handle err --- internal/session_cookie.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/internal/session_cookie.go b/internal/session_cookie.go index 5d5a5e7..0f68c03 100644 --- a/internal/session_cookie.go +++ b/internal/session_cookie.go @@ -120,19 +120,25 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error { */ clientIp := c.Request.Header.Get("X-Client-IP") dsc, err := c.Cookie(SessionCookieName) - urlDecodedDsc, _ := url.QueryUnescape(dsc) + urlDecodedDsc, decodeErr := url.QueryUnescape(dsc) + + // if fail to decode, use the original dsc + if decodeErr != nil { + log.Printf("DSC: fail to urldecode cookie %s, use the original one\n", dsc) + urlDecodedDsc = dsc + } if err == nil { // cookie exists, validate it validateErr := validateSessionCookie(urlDecodedDsc, config.SessionCookieHmacSecret, time.Now(), clientIp) if validateErr == nil { // cookie is valid, do not attach cookie but only report dsc_new=false - // fmt.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, dsc) + // log.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, urlDecodedDsc) attachSessionCookie(c, config, urlDecodedDsc, false) } else { // cookie is invalid, create a new one newDsc := newSessionCookie(config.SessionCookieHmacSecret, config.SessionCookieTtlSeconds, clientIp) - log.Printf("DSC: [%s] cookie %s is not valid, issue new: %s\n", clientIp, dsc, newDsc) + log.Printf("DSC: [%s] cookie %s is not valid, issue new: %s\n", clientIp, urlDecodedDsc, newDsc) attachSessionCookie(c, config, newDsc, true) } return nil