diff --git a/sessions/cookie.go b/sessions/cookie.go index c6766a09..c7a65026 100644 --- a/sessions/cookie.go +++ b/sessions/cookie.go @@ -52,37 +52,7 @@ func RemoveCookie(ctx context.Context, config Config) { cookie.MaxAge = -1 cookie.Value = "" cookie.Path = "/" - - if !config.DisableSubdomainPersistence { - - requestDomain := ctx.Host() - if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 { - requestDomain = requestDomain[0:portIdx] - } - if IsValidCookieDomain(requestDomain) { - - // RFC2109, we allow level 1 subdomains, but no further - // if we have localhost.com , we want the localhost.cos. - // so if we have something like: mysubdomain.localhost.com we want the localhost here - // if we have mysubsubdomain.mysubdomain.localhost.com we want the .mysubdomain.localhost.com here - // slow things here, especially the 'replace' but this is a good and understable( I hope) way to get the be able to set cookies from subdomains & domain with 1-level limit - if dotIdx := strings.LastIndexByte(requestDomain, '.'); dotIdx > 0 { - // is mysubdomain.localhost.com || mysubsubdomain.mysubdomain.localhost.com - s := requestDomain[0:dotIdx] // set mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost - if secondDotIdx := strings.LastIndexByte(s, '.'); secondDotIdx > 0 { - //is mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost - s = s[secondDotIdx+1:] // set to localhost || mysubdomain.localhost - } - // replace the s with the requestDomain before the domain's siffux - subdomainSuff := strings.LastIndexByte(requestDomain, '.') - if subdomainSuff > len(s) { // if it is actual exists as subdomain suffix - requestDomain = strings.Replace(requestDomain, requestDomain[0:subdomainSuff], s, 1) // set to localhost.com || mysubdomain.localhost.com - } - } - // finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow) - cookie.Domain = "." + requestDomain // . to allow persistence - } - } + cookie.Domain = FormatCookieDomain(ctx, config.DisableSubdomainPersistence) AddCookie(ctx, cookie, config.AllowReclaim) @@ -121,3 +91,37 @@ func IsValidCookieDomain(domain string) bool { return true } + +func FormatCookieDomain(ctx context.Context, DisableSubdomainPersistence bool) string { + if !DisableSubdomainPersistence { + + requestDomain := ctx.Host() + if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 { + requestDomain = requestDomain[0:portIdx] + } + if IsValidCookieDomain(requestDomain) { + + // RFC2109, we allow level 1 subdomains, but no further + // if we have localhost.com , we want the localhost.cos. + // so if we have something like: mysubdomain.localhost.com we want the localhost here + // if we have mysubsubdomain.mysubdomain.localhost.com we want the .mysubdomain.localhost.com here + // slow things here, especially the 'replace' but this is a good and understable( I hope) way to get the be able to set cookies from subdomains & domain with 1-level limit + if dotIdx := strings.LastIndexByte(requestDomain, '.'); dotIdx > 0 { + // is mysubdomain.localhost.com || mysubsubdomain.mysubdomain.localhost.com + s := requestDomain[0:dotIdx] // set mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost + if secondDotIdx := strings.LastIndexByte(s, '.'); secondDotIdx > 0 { + //is mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost + s = s[secondDotIdx+1:] // set to localhost || mysubdomain.localhost + } + // replace the s with the requestDomain before the domain's siffux + subdomainSuff := strings.LastIndexByte(requestDomain, '.') + if subdomainSuff > len(s) { // if it is actual exists as subdomain suffix + requestDomain = strings.Replace(requestDomain, requestDomain[0:subdomainSuff], s, 1) // set to localhost.com || mysubdomain.localhost.com + } + } + // finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow) + return "." + requestDomain // . to allow persistence + } + } + return "" +} diff --git a/sessions/sessions.go b/sessions/sessions.go index 91f88c93..a490ba8a 100644 --- a/sessions/sessions.go +++ b/sessions/sessions.go @@ -2,7 +2,6 @@ package sessions import ( "net/http" - "strings" "time" "github.com/kataras/iris/context" @@ -44,37 +43,7 @@ func (s *Sessions) updateCookie(ctx context.Context, sid string, expires time.Du cookie.Value = sid cookie.Path = "/" - if !s.config.DisableSubdomainPersistence { - - requestDomain := ctx.Host() - if portIdx := strings.IndexByte(requestDomain, ':'); portIdx > 0 { - requestDomain = requestDomain[0:portIdx] - } - if IsValidCookieDomain(requestDomain) { - - // RFC2109, we allow level 1 subdomains, but no further - // if we have localhost.com , we want the localhost.cos. - // so if we have something like: mysubdomain.localhost.com we want the localhost here - // if we have mysubsubdomain.mysubdomain.localhost.com we want the .mysubdomain.localhost.com here - // slow things here, especially the 'replace' but this is a good and understable( I hope) way to get the be able to set cookies from subdomains & domain with 1-level limit - if dotIdx := strings.LastIndexByte(requestDomain, '.'); dotIdx > 0 { - // is mysubdomain.localhost.com || mysubsubdomain.mysubdomain.localhost.com - s := requestDomain[0:dotIdx] // set mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost - if secondDotIdx := strings.LastIndexByte(s, '.'); secondDotIdx > 0 { - //is mysubdomain.localhost || mysubsubdomain.mysubdomain.localhost - s = s[secondDotIdx+1:] // set to localhost || mysubdomain.localhost - } - // replace the s with the requestDomain before the domain's siffux - subdomainSuff := strings.LastIndexByte(requestDomain, '.') - if subdomainSuff > len(s) { // if it is actual exists as subdomain suffix - requestDomain = strings.Replace(requestDomain, requestDomain[0:subdomainSuff], s, 1) // set to localhost.com || mysubdomain.localhost.com - } - } - // finally set the .localhost.com (for(1-level) || .mysubdomain.localhost.com (for 2-level subdomain allow) - cookie.Domain = "." + requestDomain // . to allow persistence - } - } - + cookie.Domain = FormatCookieDomain(ctx, s.config.DisableSubdomainPersistence) cookie.HttpOnly = true // MaxAge=0 means no 'Max-Age' attribute specified. // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'