search

buzzfeed / sso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
MIT License
3.07k stars 187 forks source link

sessions pkg: omit domain attribute in session cookie #329

Closed Jusshersmith closed 2 years ago

Jusshersmith commented 2 years ago

Problem

By default, we set the Domain attribute in the session cookie to the request's host value. This causes the cookie to be valid for the provided domain, and all subdomains. I don't believe this is expected behaviour, and shouldn't be the default.

For reference: https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.3

The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. ... If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

A leading . no longer has any impact on where the cookie is shared.

More references: mozilla domain attribute, mozilla set-cookie

Solution

Unless a domain is explicitly specified in the configuration, set the domain value to "" so that the cookie isn't shared with subdomains. Instead, it automatically defaults to only the request's domain

codecov[bot] commented 2 years ago

Codecov Report

Merging #329 (8b33030) into main (7018b6f) will decrease coverage by 0.00%. The diff coverage is 60.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #329      +/-   ##
==========================================
- Coverage   62.94%   62.93%   -0.01%     
==========================================
  Files          58       58              
  Lines        4758     4757       -1     
==========================================
- Hits         2995     2994       -1     
  Misses       1546     1546              
  Partials      217      217
Impacted Files Coverage Δ
internal/pkg/sessions/cookie_store.go 85.29% <60.00%> (-0.22%) :arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7018b6f...8b33030. Read the comment docs.