Secure session cookie

photoblog/admin/admin.go

@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/gorilla/sessions"
 )
@@ -30,6 +31,22 @@ type AuthCookie struct {
 	PasswordSecret string
 }
 
+// Constructor AuthCookie
+func NewAuthCookie(tpl *template.Template, sessionSecret, passwordSecret string, data *os.File) *AuthCookie {
+	app := &AuthCookie{
+		Templates:      tpl,
+		Store:          sessions.NewCookieStore([]byte(sessionSecret)),
+		DataDir:        data,
+		PasswordSecret: passwordSecret,
+	}
+	app.Store.Options = &sessions.Options{
+		Secure:   true,
+		HttpOnly: true,
+		MaxAge:   int((24 * time.Hour) / time.Second),
+	}
+	return app
+}
+
 // Verify Username
 func (app *AuthCookie) VerifyUsername(username string) error {
 	if username == "" {

photoblog/main.go

@@ -11,7 +11,7 @@ import (
 	"meutel.net/meutel/go-examples/photoblog/admin"
 	"meutel.net/meutel/go-examples/photoblog/photo"
 
-	"github.com/gorilla/sessions"
+	"github.com/gorilla/context"
 )
 
 type PhotoBlogConfig struct {
@@ -58,12 +58,7 @@ func main() {
 	}
 
 	app := photo.PhotoBlog{
-		admin.AuthCookie{
+		*admin.NewAuthCookie(tpl, conf.SessionSecret, conf.PasswordSecret, data),
-			Templates:      tpl,
-			Store:          sessions.NewCookieStore([]byte(conf.SessionSecret)),
-			DataDir:        data,
-			PasswordSecret: conf.PasswordSecret,
-		},
 	}
 
 	http.HandleFunc("/", func(res http.ResponseWriter, req *http.Request) {
@@ -76,5 +71,5 @@ func main() {
 	http.HandleFunc("/upload", app.UploadPage)
 	http.HandleFunc("/login", app.LoginPage)
 	http.HandleFunc("/logout", app.LogoutPage)
-	http.ListenAndServeTLS(":9443", "../cert.pem", "../key.pem", nil)
+	http.ListenAndServeTLS(":9443", "../cert.pem", "../key.pem", context.ClearHandler(http.DefaultServeMux))
 }