From e5b864ad4d66d49a557a068208b50836fbe6909f Mon Sep 17 00:00:00 2001 From: davidby-influx Date: Tue, 19 Dec 2023 16:52:03 -0800 Subject: [PATCH 1/4] fix: enable HttpOnly and Secure using TLS When TLS is enabled, set the HttpOnly and Secure flags when a cookie is created. closes: https://github.com/influxdata/influxdb/issues/24522 --- session/http_server.go | 6 ++++-- session/http_server_test.go | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/session/http_server.go b/session/http_server.go index 98a07ffe8ee..f0e80da0a2e 100644 --- a/session/http_server.go +++ b/session/http_server.go @@ -105,7 +105,7 @@ func (h *SessionHandler) handleSignin(w http.ResponseWriter, r *http.Request) { return } - encodeCookieSession(w, s) + encodeCookieSession(w, s, (r != nil) && (r.TLS != nil)) w.WriteHeader(http.StatusNoContent) } @@ -163,7 +163,7 @@ func decodeSignoutRequest(ctx context.Context, r *http.Request) (*signoutRequest const cookieSessionName = "influxdb-oss-session" -func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) { +func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled bool) { // We only need the session cookie for accesses to "/api/...", so limit // it to that using "Path". // @@ -208,6 +208,8 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) { Path: "/api/", // since UI doesn't need it, limit cookie usage to API requests Expires: s.ExpiresAt, SameSite: http.SameSiteStrictMode, + HttpOnly: tlsEnabled, + Secure: tlsEnabled, } http.SetCookie(w, c) diff --git a/session/http_server_test.go b/session/http_server_test.go index b22e4c357e4..32796587049 100644 --- a/session/http_server_test.go +++ b/session/http_server_test.go @@ -58,7 +58,7 @@ func TestSessionHandler_handleSignin(t *testing.T) { password: "supersecret", }, wants: wants{ - cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; SameSite=Strict", + cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; Secure; SameSite=Strict", code: http.StatusNoContent, }, }, From e01e7074b5b2b540eaee8860d352fb78f705f876 Mon Sep 17 00:00:00 2001 From: davidby-influx Date: Tue, 19 Dec 2023 17:25:17 -0800 Subject: [PATCH 2/4] fix: cookie exemplar in testing --- session/http_server_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/session/http_server_test.go b/session/http_server_test.go index 32796587049..b22e4c357e4 100644 --- a/session/http_server_test.go +++ b/session/http_server_test.go @@ -58,7 +58,7 @@ func TestSessionHandler_handleSignin(t *testing.T) { password: "supersecret", }, wants: wants{ - cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; Secure; SameSite=Strict", + cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; SameSite=Strict", code: http.StatusNoContent, }, }, From 41cdc08b05d5dc2835ab0c62e4b175a279b0d731 Mon Sep 17 00:00:00 2001 From: davidby-influx Date: Wed, 20 Dec 2023 09:56:31 -0800 Subject: [PATCH 3/4] fix: HttpOnly always true in cookies --- session/http_server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/session/http_server.go b/session/http_server.go index f0e80da0a2e..b78d5fea8f7 100644 --- a/session/http_server.go +++ b/session/http_server.go @@ -208,7 +208,7 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled Path: "/api/", // since UI doesn't need it, limit cookie usage to API requests Expires: s.ExpiresAt, SameSite: http.SameSiteStrictMode, - HttpOnly: tlsEnabled, + HttpOnly: true, Secure: tlsEnabled, } From dd2ca4b49cf65fef05816bdd68d7bda2a08594ff Mon Sep 17 00:00:00 2001 From: davidby-influx Date: Wed, 20 Dec 2023 11:24:11 -0800 Subject: [PATCH 4/4] chore: update test exemplar --- session/http_server_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/session/http_server_test.go b/session/http_server_test.go index b22e4c357e4..41d650dcad4 100644 --- a/session/http_server_test.go +++ b/session/http_server_test.go @@ -58,7 +58,7 @@ func TestSessionHandler_handleSignin(t *testing.T) { password: "supersecret", }, wants: wants{ - cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; SameSite=Strict", + cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; HttpOnly; SameSite=Strict", code: http.StatusNoContent, }, },