Improve security regarding cookie about gonic HOT 6 CLOSED

You are right, Strict mode implies higher security rules which might have potential drawbacks. It prevents the browser from attaching any cookies to cross-site requests. For instance here, it prevented the browser from attaching any cookies you had for LastFM to the request (so you were not considered as logged in when the request arrived).

Lax provides a reasonable level of protection by preventing the browser from attaching any cookies to requests based on unsafe HTTP methods only (like POST). Thus I think it is judicious to switch to SameSite=Lax.

from gonic.

EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front

If people run Gonic with HTTP, it makes sense indeed to skip the Secure flag at the application level. However, for people concerned about this flag, a workaround could be to set it at the web server level. For instance with nginx, one could adapt the configuration sample provided in README.md by using the proxy_cookie_path directive as such:

  location / {
      # Workaround to set the cookie Secure flag:
      proxy_cookie_path / "/; secure"

      proxy_pass http://localhost:4747/;
      # set X-Forwarded-Host for last.fm connection callback
      proxy_set_header X-Forwarded-Host $host;
  }

Should this be added to the documentation?

from gonic.

hey thank you for that
here is where i'm at currently:

with a simple enough change

diff --git a/server/ctrladmin/ctrl.go b/server/ctrladmin/ctrl.go
index 7f131af..a75a4a0 100644
--- a/server/ctrladmin/ctrl.go
+++ b/server/ctrladmin/ctrl.go
@@ -98,11 +98,15 @@ func New(base *ctrlbase.Controller) *Controller {
 		})
 	tmplBase = extendFromPaths(tmplBase, prefixPartials)
 	tmplBase = extendFromPaths(tmplBase, prefixLayouts)
+	sessDB := gormstore.New(base.DB.DB, sessionKey)
+	sessDB.SessionOpts.Secure = true
+	sessDB.SessionOpts.HttpOnly = true
+	sessDB.SessionOpts.SameSite = http.SameSiteStrictMode
 	return &Controller{
 		Controller: base,
 		buffPool:   bpool.NewBufferPool(64),
 		templates:  pagesFromPaths(tmplBase, prefixPages),
-		sessDB:     gormstore.New(base.DB.DB, sessionKey),
+		sessDB:     sessDB,
 	}
 }

EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front

from gonic.

hey thank you for that

No worries and thank you so much for working on this great streaming server and sharing it.

here is where i'm at currently:

Looks great, good job! 👍

EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front

Then it makes sense indeed to skip Secure. As a consequence it is not worth working on prefixes since they rely on this flag.

from gonic.

thanks for the kind words :)

from gonic.

had another little look. it seems that last.fm "linking" doesnt work with SameSite=Strict

if you're not familiar with the last.fm thing: in the gonic ui you click "link" to connect with lastfm. you're redirected to https://last.fm/whatever?cb=https://gonic.your.server/admin/link_lastfm_do (last.fm redirects you back to gonic with a token, then gonic stores the token)

however, it does work with a SameSite=Lax
what would you recommend here?

from gonic.