Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787)

* Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2020-01-10 14:55:30 +01:00
parent a3c99f4871
commit c5f906f472
6 changed files with 101 additions and 70 deletions
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -47,7 +47,7 @@ func notAuthorized(c *m.ReqContext) {
 		return
 	}

-	c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/", nil, false, true)
+	WriteCookie(c.Resp, "redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, newCookieOptions)

 	c.Redirect(setting.AppSubUrl + "/login")
 }