Sign cookies in the Redis Session store

2019-05-15 17:20:32 +01:00 · 2019-05-15 17:20:32 +01:00 · a21dc34282
commit a21dc34282
parent febd026ffe
1 changed files with 30 additions and 11 deletions
--- a/pkg/sessions/redis/redis_store.go
+++ b/pkg/sessions/redis/redis_store.go
@ -71,11 +71,9 @@ func (store *SessionStore) Save(rw http.ResponseWriter, req *http.Request, s *se
 		return err
 	}

-	ticketCookie := cookies.MakeCookieFromOptions(
+	ticketCookie := store.makeCookie(
 		req,
-		store.CookieOptions.CookieName,
 		ticketString,
-		store.CookieOptions,
 		store.CookieOptions.CookieExpire,
 		s.CreatedAt,
 	)
@ -91,8 +89,12 @@ func (store *SessionStore) Load(req *http.Request) (*sessions.SessionState, erro
 	if err != nil {
 		return nil, fmt.Errorf("error loading session: %s", err)
 	}
-	// No cookie validation necessary
-	session, err := store.LoadSessionFromString(requestCookie.Value)
+
+	val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire)
+	if !ok {
+		return nil, fmt.Errorf("Cookie Signature not valid")
+	}
+	session, err := store.LoadSessionFromString(val)
 	if err != nil {
 		return nil, fmt.Errorf("error loading session: %s", err)
 	}
@ -132,12 +134,15 @@ func (store *SessionStore) LoadSessionFromString(value string) (*sessions.Sessio
 func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) error {
 	requestCookie, _ := req.Cookie(store.CookieOptions.CookieName)

+	val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire)
+	if !ok {
+		return fmt.Errorf("Cookie Signature not valid")
+	}
+
 	// We go ahead and clear the cookie first, always.
-	clearCookie := cookies.MakeCookieFromOptions(
+	clearCookie := store.makeCookie(
 		req,
-		store.CookieOptions.CookieName,
 		"",
-		store.CookieOptions,
 		time.Hour*-1,
 		time.Now(),
 	)
@ -145,10 +150,9 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro

 	// We only return an error if we had an issue with redis
 	// If there's an issue decoding the ticket, ignore it
-	ticket, _ := decodeTicket(store.CookieOptions.CookieName, requestCookie.Value)
+	ticket, _ := decodeTicket(store.CookieOptions.CookieName, val)
 	if ticket != nil {
-		deleted, err := store.Client.Del(ticket.asHandle(store.CookieOptions.CookieName)).Result()
-		fmt.Println("delted %n", deleted)
+		_, err := store.Client.Del(ticket.asHandle(store.CookieOptions.CookieName)).Result()
 		if err != nil {
 			return fmt.Errorf("error clearing cookie from redis: %s", err)
 		}
@ -156,6 +160,21 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro
 	return nil
 }

+// makeCookie makes a cookie, signing the value if present
+func (store *SessionStore) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) *http.Cookie {
+	if value != "" {
+		value = cookie.SignedValue(store.CookieOptions.CookieSecret, store.CookieOptions.CookieName, value, now)
+	}
+	return cookies.MakeCookieFromOptions(
+		req,
+		store.CookieOptions.CookieName,
+		value,
+		store.CookieOptions,
+		expires,
+		now,
+	)
+}
+
 func (store *SessionStore) storeValue(value string, expiresOn time.Time, requestCookie *http.Cookie) (string, error) {
 	var ticket *TicketData
 	if requestCookie != nil {