Session cookie key is now configurable

- Added [web] cookie.auth.key to configuration
- Inbucket generates a random key if none is configured
- Added [default] default.domain to be reference by SMTP and POP3
  configs
- Updated default/sample config files

httpd/context.go

@@ -43,14 +43,21 @@ func headerMatch(req *http.Request, name string, value string) bool {
 func NewContext(req *http.Request) (*Context, error) {
 	vars := mux.Vars(req)
 	sess, err := sessionStore.Get(req, "inbucket")
+	if err != nil {
+		if sess == nil {
+			// No session, must fail
+			return nil, err
+		} else {
+			// The session cookie was probably signed by an old key, ignore it
+			// gorilla created an empty session for us
+			err = nil
+		}
+	}
 	ctx := &Context{
 		Vars:      vars,
 		Session:   sess,
 		DataStore: DataStore,
 		IsJSON:    headerMatch(req, "Accept", "application/json"),
 	}
-	if err != nil {
-		return ctx, err
-	}
 	return ctx, err
 }

httpd/server.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/goods/httpbuf"
 	"github.com/gorilla/mux"
+	"github.com/gorilla/securecookie"
 	"github.com/gorilla/sessions"
 	"github.com/jhillyerd/inbucket/config"
 	"github.com/jhillyerd/inbucket/log"
@@ -41,7 +42,13 @@ func Initialize(cfg config.WebConfig, ds smtpd.DataStore) {
 	DataStore = ds
 
 	// TODO Make configurable
-	sessionStore = sessions.NewCookieStore([]byte("something-very-secret"))
+	if cfg.CookieAuthKey == "" {
+		log.Infof("HTTP generating random cookie.auth.key")
+		sessionStore = sessions.NewCookieStore(securecookie.GenerateRandomKey(64))
+	} else {
+		log.Tracef("HTTP using configured cookie.auth.key")
+		sessionStore = sessions.NewCookieStore([]byte(cfg.CookieAuthKey))
+	}
 }
 
 func setupRoutes(cfg config.WebConfig) {