fix: cookie handling (#654)

* feat: set cookie prefix and max age * cookie prefix on csrf cookie * fix: check user agent cookie in login * update oidc pkg * cleanup
2025-08-11 09:57:37 +00:00 · 2020-08-31 08:49:35 +02:00
parent 1089193faf
commit c1c85e632b
26 changed files with 262 additions and 205 deletions
--- a/internal/api/http/cookie.go
+++ b/internal/api/http/cookie.go
@@ -8,9 +8,15 @@ import (
 	"github.com/caos/zitadel/internal/errors"
 )

+const (
+	prefixSecure = "__Secure-"
+	prefixHost   = "__Host-"
+)
+
 type CookieHandler struct {
 	securecookie *securecookie.SecureCookie
 	secureOnly   bool
+	httpOnly     bool
 	sameSite     http.SameSite
 	path         string
 	maxAge       int
@@ -20,6 +26,7 @@ type CookieHandler struct {
 func NewCookieHandler(opts ...CookieHandlerOpt) *CookieHandler {
 	c := &CookieHandler{
 		secureOnly: true,
+		httpOnly:   true,
 		sameSite:   http.SameSiteLaxMode,
 		path:       "/",
 	}
@@ -44,6 +51,12 @@ func WithUnsecure() CookieHandlerOpt {
 	}
 }

+func WithNonHttpOnly() CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.httpOnly = false
+	}
+}
+
 func WithSameSite(sameSite http.SameSite) CookieHandlerOpt {
 	return func(c *CookieHandler) {
 		c.sameSite = sameSite
@@ -69,6 +82,16 @@ func WithDomain(domain string) CookieHandlerOpt {
 	}
 }

+func SetCookiePrefix(name, domain, path string, secureOnly bool) string {
+	if !secureOnly {
+		return name
+	}
+	if domain != "" || path != "/" {
+		return prefixSecure + name
+	}
+	return prefixHost + name
+}
+
 func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, error) {
 	cookie, err := r.Cookie(name)
 	if err != nil {
@@ -78,7 +101,7 @@ func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, er
 }

 func (c *CookieHandler) GetEncryptedCookieValue(r *http.Request, name string, value interface{}) error {
-	cookie, err := r.Cookie(name)
+	cookie, err := r.Cookie(SetCookiePrefix(name, c.domain, c.path, c.secureOnly))
 	if err != nil {
 		return err
 	}
@@ -110,12 +133,12 @@ func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {

 func (c *CookieHandler) httpSet(w http.ResponseWriter, name, value string, maxage int) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     name,
+		Name:     SetCookiePrefix(name, c.domain, c.path, c.secureOnly),
 		Value:    value,
 		Domain:   c.domain,
 		Path:     c.path,
 		MaxAge:   maxage,
-		HttpOnly: true,
+		HttpOnly: c.httpOnly,
 		Secure:   c.secureOnly,
 		SameSite: c.sameSite,
 	})