buzzfeed / sso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

MIT License

3.1k stars 186 forks source link

Problem

By default, we set the Domain attribute in the session cookie to the request's host value. This causes the cookie to be valid for the provided domain, and all subdomains. I don't believe this is expected behaviour, and shouldn't be the default.

The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. ... If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

A leading . no longer has any impact on where the cookie is shared.

Codecov Report

Merging #329 (8b33030) into main (7018b6f) will decrease coverage by 0.00%. The diff coverage is 60.00%.

@@            Coverage Diff             @@
##             main     #329      +/-   ##
==========================================
- Coverage   62.94%   62.93%   -0.01%     
==========================================
  Files          58       58              
  Lines        4758     4757       -1     
==========================================
- Hits         2995     2994       -1     
  Misses       1546     1546              
  Partials      217      217

Impacted Files	Coverage Δ
internal/pkg/sessions/cookie_store.go	`85.29% <60.00%> (-0.22%)`	:arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7018b6f...8b33030. Read the comment docs.

buzzfeed / sso

sessions pkg: omit domain attribute in session cookie #329

Problem

Solution

Codecov Report