Merge pull request #862 from isucon/feature-update-session-managemnent

update session managemnent for unsecure cookie
isucon · Aug 25, 2024 · 1f1067e · 1f1067e
2 parents f0776fc + c09360d
commit 1f1067e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/webapp/go/go.mod b/webapp/go/go.mod
@@ -5,12 +5,10 @@ go 1.21.6
 require (
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-sql-driver/mysql v1.8.1
+	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.3.0
 	github.com/jmoiron/sqlx v1.4.0
 	golang.org/x/crypto v0.26.0
 )
 
-require (
-	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/gorilla/securecookie v1.1.2 // indirect
-)
+require filippo.io/edwards25519 v1.1.0 // indirect
diff --git a/webapp/go/main.go b/webapp/go/main.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-sql-driver/mysql"
+	"github.com/gorilla/securecookie"
 	"github.com/gorilla/sessions"
 	"github.com/jmoiron/sqlx"
 	"golang.org/x/crypto/bcrypt"
@@ -269,7 +270,17 @@ type resSetting struct {
 }
 
 func init() {
-	store = sessions.NewCookieStore([]byte("abc"))
+	keyPairs := []byte("abc")
+	cs := &sessions.CookieStore{
+		Codecs: securecookie.CodecsFromPairs(keyPairs),
+		Options: &sessions.Options{
+			Path:     "/",
+			MaxAge:   86400 * 30,
+			SameSite: http.SameSiteNoneMode,
+		},
+	}
+	cs.MaxAge(cs.Options.MaxAge)
+	store = cs
 
 	log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
 
@@ -363,7 +374,6 @@ func main() {
 
 func getSession(r *http.Request) *sessions.Session {
 	session, _ := store.Get(r, sessionName)
-	session.Options.Secure = false
 
 	return session
 }