go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-03-15 06:46:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix/Disable session subdomain persistence on 127.0.0.1 and 0.0.0.0

Browse Source
This commit is contained in:
Makis Maropoulos 2016-06-30 17:55:33 +03:00
parent 386201f73a
commit a5db711207
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/sessions.go
View File

@ -72,9 +72,9 @@ type (
// Default 2 hours // Default 2 hours
GcDuration time.Duration GcDuration time.Duration
// DisableSubdomainPersistance set it to dissallow your iris subdomains to have access to the session cookie // DisableSubdomainPersistence set it to dissallow your iris subdomains to have access to the session cookie
// defaults to false // defaults to false
DisableSubdomainPersistance bool DisableSubdomainPersistence bool
} }
) )
@ -85,7 +85,7 @@ func DefaultSessions() Sessions {
Cookie: DefaultCookieName, Cookie: DefaultCookieName,
Expires: CookieExpireNever, Expires: CookieExpireNever,
GcDuration: DefaultSessionGcDuration, GcDuration: DefaultSessionGcDuration,
DisableSubdomainPersistance: false, DisableSubdomainPersistence: false,
} }
} }

18
sessions/manager.go
View File

@ -92,13 +92,18 @@ func (m *Manager) Start(ctx context.IContext) store.IStore {
cookie.SetKey(m.config.Cookie) cookie.SetKey(m.config.Cookie)
cookie.SetValue(base64.URLEncoding.EncodeToString([]byte(sid))) cookie.SetValue(base64.URLEncoding.EncodeToString([]byte(sid)))
cookie.SetPath("/") cookie.SetPath("/")
if !m.config.DisableSubdomainPersistance { if !m.config.DisableSubdomainPersistence {
requestDomain := ctx.HostString() requestDomain := ctx.HostString()
// there is a problem with .localhost setted as the domain, so we check that first if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 {
if strings.Count(requestDomain, ".") > 0 { requestDomain = requestDomain[0:portIdx]
if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 { }
requestDomain = requestDomain[0:portIdx] if requestDomain == "0.0.0.0" || requestDomain == "127.0.0.1" {
} // for these type of hosts, we can't allow subdomains persistance,
// the web browser doesn't understand the mysubdomain.0.0.0.0 and mysubdomain.127.0.0.1 as scorrectly ubdomains because of the many dots
cookie.SetDomain(requestDomain)
} else if strings.Count(requestDomain, ".") > 0 { // there is a problem with .localhost setted as the domain, so we check that first
// RFC2109, we allow level 1 subdomains, but no further // RFC2109, we allow level 1 subdomains, but no further
// if we have localhost.com , we want the localhost.com. // if we have localhost.com , we want the localhost.com.
// so if we have something like: mysubdomain.localhost.com we want the localhost here // so if we have something like: mysubdomain.localhost.com we want the localhost here
@ -117,6 +122,7 @@ func (m *Manager) Start(ctx context.IContext) store.IStore {
requestDomain = strings.Replace(requestDomain, requestDomain[0:subdomainSuff], s, 1) // set to localhost.com || mysubdomain.localhost.com requestDomain = strings.Replace(requestDomain, requestDomain[0:subdomainSuff], s, 1) // set to localhost.com || mysubdomain.localhost.com
} }
} }
println(requestDomain)
// finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow) // finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow)
cookie.SetDomain("." + requestDomain) // . to allow persistance cookie.SetDomain("." + requestDomain) // . to allow persistance
} }