search

apexskier / httpauth

Go (lang) HTTP session authentication
MIT License
221 stars 28 forks source link

Add option to specify secure cookies in the session store #33

Open turnkey-commerce opened 8 years ago

turnkey-commerce commented 8 years ago

There should be an option to make sure the cookie storage requires secure cookies for sites that have https available. It needs to be optional so that it would be supported in dev/testing environments that don't support https.

One possibility would be to add another argument to the NewAuthorizer:

func NewAuthorizer(backend AuthBackend, secureCookie bool, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) {
    var a Authorizer
    a.cookiejar = sessions.NewCookieStore([]byte(key))
    a.cookiejar.Options.Secure = secureCookie
...
}

or make it secure by default and require calling a Method to make it insecure (best practice):

func NewAuthorizer(backend AuthBackend, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) {
    var a Authorizer
    a.cookiejar = sessions.NewCookieStore([]byte(key))
    a.cookiejar.Options.Secure = true
...
}

func (a Authorizer) AllowNonHttpsCookie() {
    a.cookiejar.Options.Secure = false
}

One related issue to cover is that currently a login seems to fail silently if a.cookiejar.Options.Secure is set to true and it is on a site that does not support https.

apexskier commented 8 years ago

I think I'd prefer your latter suggestion: making cookies secure by default with a fallback method/option to allow non secure cookies. I'm very much open to PRs implementing this feature.

turnkey-commerce commented 8 years ago

Thanks for the confirm, I'll work on that and issue a PR.