mirror of
https://github.com/grafana/grafana.git
synced 2024-12-01 13:09:22 -06:00
d94796a022
According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
50 lines
1.1 KiB
Go
50 lines
1.1 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
type CookieOptions struct {
|
|
Path string
|
|
Secure bool
|
|
SameSiteDisabled bool
|
|
SameSiteMode http.SameSite
|
|
}
|
|
|
|
func newCookieOptions() CookieOptions {
|
|
path := "/"
|
|
if len(setting.AppSubUrl) > 0 {
|
|
path = setting.AppSubUrl
|
|
}
|
|
return CookieOptions{
|
|
Path: path,
|
|
Secure: setting.CookieSecure,
|
|
SameSiteDisabled: setting.CookieSameSiteDisabled,
|
|
SameSiteMode: setting.CookieSameSiteMode,
|
|
}
|
|
}
|
|
|
|
type GetCookieOptionsFunc func() CookieOptions
|
|
|
|
func DeleteCookie(w http.ResponseWriter, name string, getCookieOptionsFunc GetCookieOptionsFunc) {
|
|
WriteCookie(w, name, "", -1, getCookieOptionsFunc)
|
|
}
|
|
|
|
func WriteCookie(w http.ResponseWriter, name string, value string, maxAge int, getCookieOptionsFunc GetCookieOptionsFunc) {
|
|
options := getCookieOptionsFunc()
|
|
cookie := http.Cookie{
|
|
Name: name,
|
|
MaxAge: maxAge,
|
|
Value: value,
|
|
HttpOnly: true,
|
|
Path: options.Path,
|
|
Secure: options.Secure,
|
|
}
|
|
if !options.SameSiteDisabled {
|
|
cookie.SameSite = options.SameSiteMode
|
|
}
|
|
http.SetCookie(w, &cookie)
|
|
}
|