search

alexedwards / scs

HTTP Session Management for Go
MIT License
2.12k stars 165 forks source link

Session getting added to DB, but not to cookie, when set to SameSiteNone, but works in SameSiteLax #194

Closed spa5k closed 8 months ago

spa5k commented 8 months ago

session manager - 

func SessionManager() *scs.SessionManager {
    once.Do(func() {
        Manager = scs.New()
        Manager.Lifetime = 24 * time.Hour
        Manager.Cookie.Persist = true
        Manager.Cookie.SameSite = http.SameSiteNoneMode
        Manager.Cookie.Path = "" // Empty string to allow for all localhost sites
        Manager.Cookie.HttpOnly = true
        //Manager.Cookie.Name = "session_id"
        //Manager.Cookie.Domain = ""

        Manager.Store = pgxstore.NewWithCleanupInterval(GetPool(), time.Minute*30)
        //osEnv := os.Getenv("ENV")
        //if osEnv == "production" {
        //  Manager.Cookie.Secure = true // Set to true when serving over HTTPS
        //}
    })
    return Manager
}

Auth - 

func (p *GithubProvider) Callback(w http.ResponseWriter, r *http.Request) {
    err := helpers.ValidateStateAndCookieState(w, r)
    if err != nil {
        ...
    }
    code := r.URL.Query().Get("code")
    token, err := helpers.ExchangeCodeForToken(r, code, p.OAuthConfig)
    if err != nil {
        ...
    }

    client := p.OAuthConfig.Client(r.Context(), token)
    email, err := helpers.GetUserMainEmail(client)
    if err != nil {
        ...
    }
........

    db.SessionManager().Put(r.Context(), "userId", user.ID)
    println("Redirecting to review ui", "userId", user.ID)

    redirectURL, err := url.Parse(config.Configuration.Services.ReviewUIService)
    if err != nil {
        ....
    }
    logger.Info("Response headers", "headers", w.Header())

    http.Redirect(w, r, redirectURL.String()+"/auth", http.StatusFound)
}

This is weird error, i've been trying to create cookie with session, but for some reason, it does not add anything to the cookie.

sample log - 

githubAuth      handlers/github.go:179  Response headers        {"headers": {"Set-Cookie":["state=da4e707a-9eb3-407b-baac-d16bbe7cc597; Max-Age=0"],"Vary":["Cookie"]}}
spa5k commented 8 months ago

But when I set the cookie to - Manager.Cookie.SameSite = http.SameSiteLaxMode, it starts working.

spa5k commented 8 months ago

Fixed it, according to latest changes in 2020, SameSite none also requires Secure to be enabled.

https://stackoverflow.com/questions/2117248/setting-cookie-in-iframe-different-domain