From 09d6478d72fb91b7e18fbd96abebbfd574e02a6b Mon Sep 17 00:00:00 2001 From: Shadowfacts Date: Tue, 15 Feb 2022 10:00:07 -0500 Subject: [PATCH] [bugfix] Only mark cookies as Secure on https (#398) Fixes cookies not being stored/sent by Safari when serving over plain http --- internal/router/session.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/router/session.go b/internal/router/session.go index 066024601..be29b01c9 100644 --- a/internal/router/session.go +++ b/internal/router/session.go @@ -38,10 +38,10 @@ func SessionOptions() sessions.Options { return sessions.Options{ Path: "/", Domain: viper.GetString(config.Keys.Host), - MaxAge: 120, // 2 minutes - Secure: true, // only use cookie over https - HttpOnly: true, // exclude javascript from inspecting cookie - SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + MaxAge: 120, // 2 minutes + Secure: viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https + HttpOnly: true, // exclude javascript from inspecting cookie + SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 } }