1
1
mirror of https://github.com/go-gitea/gitea synced 2024-12-22 16:44:26 +00:00

Use secure cookie for HTTPS sites (#26999)

If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's
default value should be true.

And, if a user visits an "http" site with "https" AppURL, they won't be
able to login, and they should have been warned. The only problem is
that the "language" can't be set either in such case, while I think it
is not a serious problem, and it could be fixed easily if needed.

![image](https://github.com/go-gitea/gitea/assets/2114189/7bc9a859-dcc1-467d-bc7c-1dd6a10389e3)
This commit is contained in:
wxiaoguang 2023-09-11 17:03:51 +08:00 committed by GitHub
parent 6d96f0b0d1
commit 998cea5888
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 5 additions and 5 deletions

View File

@ -1746,8 +1746,8 @@ LEVEL = Info
;; Session cookie name ;; Session cookie name
;COOKIE_NAME = i_like_gitea ;COOKIE_NAME = i_like_gitea
;; ;;
;; If you use session in https only, default is false ;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
;COOKIE_SECURE = false ;COOKIE_SECURE =
;; ;;
;; Session GC time interval in seconds, default is 86400 (1 day) ;; Session GC time interval in seconds, default is 86400 (1 day)
;GC_INTERVAL_TIME = 86400 ;GC_INTERVAL_TIME = 86400

View File

@ -777,7 +777,7 @@ and
- `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]` - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]`
- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_. - `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_.
- `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access. - `COOKIE_SECURE`:**_empty_**: `true` or `false`. Enable this to force using HTTPS for all session access. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
- `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID. - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
- `GC_INTERVAL_TIME`: **86400**: GC interval in seconds. - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
- `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day) - `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)

View File

@ -742,7 +742,7 @@ Gitea 创建以下非唯一队列:
- `PROVIDER`: **memory**:会话存储引擎 \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]。设置为 `db` 将会重用 `[database]` 的配置信息。 - `PROVIDER`: **memory**:会话存储引擎 \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]。设置为 `db` 将会重用 `[database]` 的配置信息。
- `PROVIDER_CONFIG`: **data/sessions**:对于文件,为根路径;对于 db为空将使用数据库配置对于其他引擎为连接字符串。相对路径将根据 _`AppWorkPath`_ 绝对化。 - `PROVIDER_CONFIG`: **data/sessions**:对于文件,为根路径;对于 db为空将使用数据库配置对于其他引擎为连接字符串。相对路径将根据 _`AppWorkPath`_ 绝对化。
- `COOKIE_SECURE`: **false**启用此选项以强制在所有会话访问中使用 HTTPS。 - `COOKIE_SECURE`: **_empty_**`true` 或 `false`启用此选项以强制在所有会话访问中使用 HTTPS。如果没有设置,当 ROOT_URL 是 https 链接的时候默认设置为 true。
- `COOKIE_NAME`: **i\_like\_gitea**:用于会话 ID 的 cookie 名称。 - `COOKIE_NAME`: **i\_like\_gitea**:用于会话 ID 的 cookie 名称。
- `GC_INTERVAL_TIME`: **86400**GC 间隔时间,以秒为单位。 - `GC_INTERVAL_TIME`: **86400**GC 间隔时间,以秒为单位。
- `SESSION_LIFE_TIME`: **86400**:会话生命周期,以秒为单位,默认为 864001 天)。 - `SESSION_LIFE_TIME`: **86400**:会话生命周期,以秒为单位,默认为 864001 天)。

View File

@ -50,7 +50,7 @@ func loadSessionFrom(rootCfg ConfigProvider) {
} }
SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea") SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")
SessionConfig.CookiePath = AppSubURL + "/" // there was a bug, old code only set CookePath=AppSubURL, no trailing slash SessionConfig.CookiePath = AppSubURL + "/" // there was a bug, old code only set CookePath=AppSubURL, no trailing slash
SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(false) SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(strings.HasPrefix(strings.ToLower(AppURL), "https://"))
SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400) SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400) SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
SessionConfig.Domain = sec.Key("DOMAIN").String() SessionConfig.Domain = sec.Key("DOMAIN").String()