Implement feature request: http://support.iris-go.com/d/29-mark-cookie-for-session-as-secure

Example: app := iris.New() app.Adapt(httprouter.New()) // IMPORTANT cookieName := "mycustomsessionid" // AES only supports key sizes of 16, 24 or 32 bytes. // You either need to provide exactly that amount or you derive the key from what you type in. hashKey := []byte("the-big-and-secret-fash-key-here") blockKey := []byte("lot-secret-of-characters-big-too") secureCookie := securecookie.New(hashKey, blockKey) app.Adapt(sessions.New(sessions.Config{ Cookie: cookieName, Encode: secureCookie.Encode, Decode: secureCookie.Decode, })) Former-commit-id: 6fe5ce6cb834d55862242e08405fad4e721caa5b
2026-01-09 21:15:56 +00:00 · 2017-03-18 12:22:20 +02:00
parent 549c8eba10
commit d51c0b7b50
5 changed files with 213 additions and 12 deletions
--- a/adaptors/sessions/config.go
+++ b/adaptors/sessions/config.go
@@ -31,6 +31,29 @@ type (
 		// Defaults to false
 		DecodeCookie bool

+		// Encode the cookie value if not nil.
+		// Should accept as first argument the cookie name (config.Name)
+		//         as second argument the server's generated session id.
+		// Should return the new session id, if error the session id setted to empty which is invalid.
+		//
+		// Note: Errors are not printed, so you have to know what you're doing,
+		// and remember: if you use AES it only supports key sizes of 16, 24 or 32 bytes.
+		// You either need to provide exactly that amount or you derive the key from what you type in.
+		//
+		// Defaults to nil
+		Encode func(cookieName string, value interface{}) (string, error)
+		// Decode the cookie value if not nil.
+		// Should accept as first argument the cookie name (config.Name)
+		//               as second second accepts the client's cookie value (the encoded session id).
+		// Should return an error if decode operation failed.
+		//
+		// Note: Errors are not printed, so you have to know what you're doing,
+		// and remember: if you use AES it only supports key sizes of 16, 24 or 32 bytes.
+		// You either need to provide exactly that amount or you derive the key from what you type in.
+		//
+		// Defaults to nil
+		Decode func(cookieName string, cookieValue string, v interface{}) error
+
 		// Expires the duration of which the cookie must expires (created_time.Add(Expires)).
 		// If you want to delete the cookie when the browser closes, set it to -1.
 		//
--- a/adaptors/sessions/sessions.go
+++ b/adaptors/sessions/sessions.go
@@ -90,13 +90,16 @@ func (s *sessions) Start(res http.ResponseWriter, req *http.Request) iris.Sessio
 	var sess iris.Session

 	cookieValue := GetCookie(s.config.Cookie, req)
+
 	if cookieValue == "" { // cookie doesn't exists, let's generate a session and add set a cookie
 		sid := SessionIDGenerator(s.config.CookieLength)
+
 		sess = s.provider.Init(sid, s.config.Expires)
 		cookie := &http.Cookie{}

 		// The RFC makes no mention of encoding url value, so here I think to encode both sessionid key and the value using the safe(to put and to use as cookie) url-encoding
 		cookie.Name = s.config.Cookie
+
 		cookie.Value = sid
 		cookie.Path = "/"
 		if !s.config.DisableSubdomainPersistence {
@@ -143,8 +146,34 @@ func (s *sessions) Start(res http.ResponseWriter, req *http.Request) iris.Sessio
 			cookie.MaxAge = int(cookie.Expires.Sub(time.Now()).Seconds())
 		}

+		{
+			// encode the session id cookie client value right before send it.
+			if encode := s.config.Encode; encode != nil {
+				newVal, err := encode(s.config.Cookie, cookie.Value)
+				if err == nil {
+					cookie.Value = newVal
+				} else {
+					cookie.Value = ""
+				}
+			}
+		}
+
 		AddCookie(cookie, res)
 	} else {
+
+		{
+			// decode the cookie value from the client's cookie right before read the session data.
+			var cookieValueDecoded *string
+			if decode := s.config.Decode; decode != nil {
+				err := decode(s.config.Cookie, cookieValue, &cookieValueDecoded)
+				if err == nil {
+					cookieValue = *cookieValueDecoded
+				} else {
+					cookieValue = ""
+				}
+			}
+		}
+
 		sess = s.provider.Read(cookieValue, s.config.Expires)
 	}
 	return sess
@@ -157,6 +186,22 @@ func (s *sessions) Destroy(res http.ResponseWriter, req *http.Request) {
 		return
 	}
 	RemoveCookie(s.config.Cookie, res, req)
+
+	{
+		// decode the client's cookie value in order to find the server's session id
+		// to destroy the session data.
+		var cookieValueDecoded *string
+		if decode := s.config.Decode; decode != nil {
+			err := decode(s.config.Cookie, cookieValue, &cookieValueDecoded)
+			if err == nil {
+				cookieValue = *cookieValueDecoded
+			} else {
+				cookieValue = ""
+			}
+		}
+
+	}
+
 	s.provider.Destroy(cookieValue)
 }