// AddSignedCookie adds the specified cookie to the response and also adds an // additional 'signed' cookie that is used to validate the cookies value when // SignedCookie is called. func (c *Context) AddSignedCookie(cookie *http.Cookie) (*http.Cookie, error) { // make the signed cookie signedCookie := new(http.Cookie) // copy the cookie settings signedCookie.Path = cookie.Path signedCookie.Domain = cookie.Domain signedCookie.RawExpires = cookie.RawExpires signedCookie.Expires = cookie.Expires signedCookie.MaxAge = cookie.MaxAge signedCookie.Secure = cookie.Secure signedCookie.HttpOnly = cookie.HttpOnly signedCookie.Raw = cookie.Raw // set the signed cookie specifics signedCookie.Name = toSignedCookieName(cookie.Name) signedCookie.Value = Hash(cookie.Value) // add the cookies http.SetCookie(c.ResponseWriter, cookie) http.SetCookie(c.ResponseWriter, signedCookie) // return the new signed cookie (and no error) return signedCookie, nil }
/** * クッキーを作成する * @function * @param {string} name クッキーの名前 * @param {string} value クッキーの値 * @param {string} domain 有効ドメイン * @param {string} path 有効ディレクトリ * @param {int} hour 有効期限(時間) */ func NewCookie(name string, value string, domain string, path string, hour int) *http.Cookie { duration := time.Hour * time.Duration(hour) now := time.Now() expire := now.Add(duration) cookie := new(http.Cookie) cookie.Name = name cookie.Value = value cookie.Domain = domain cookie.Path = path cookie.Expires = expire cookie.RawExpires = expire.Format(time.UnixDate) cookie.MaxAge = 60 * 60 * hour cookie.Secure = false cookie.HttpOnly = true cookie.Raw = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value) cookie.Unparsed = []string{cookie.Raw} return cookie }
// Redirects the User to the OAuth1.0a provider's Login Screen. A RequestToken // is requested from the Provider, and included in the URL's oauth_token param. // // A Successful Login / Authorization should return both the oauth_token and // the oauth_verifier to the callback URL. func (self *OAuth1Mixin) AuthorizeRedirect(w http.ResponseWriter, r *http.Request, endpoint string) error { //Get a Request Token token, err := self.Consumer.RequestToken() if err != nil { return err } //Get the redirect URL url, err := self.Consumer.AuthorizeRedirect(token) if err != nil { return err } //Write the Request Token to a Cookie, so that we can //retrieve it after re-directing the user to the //providers authorization screen. cookie := http.Cookie{} cookie.Name = "_token" cookie.Path = "/" cookie.Domain = r.URL.Host cookie.HttpOnly = true cookie.Secure = Config.CookieSecure cookie.Value = token.Encode() http.SetCookie(w, &cookie) // redirect to the login url http.Redirect(w, r, url, http.StatusSeeOther) return nil }
// Answers to /sso, returns the SSO cookie and redirects to /startpage func handler(w http.ResponseWriter, r *http.Request) { re := regexp.MustCompile("CN=([ 0-9A-Za-z_]+)") user := r.Header.Get("Certificate-User") if user == "" { log.Panicf("Did not get user!") } match := re.FindStringSubmatch(user) if len(match) != 2 { log.Panicf("No CN found!") } cn := match[1] sessionid := getSessionID(cn, r.Header.Get("X-Forwarded-For")) token := generate_session_token(sessionid, cn) signature := sign_session_token(token) cookie := http.Cookie{} cookie.Name = "PLAY_SESSION" cookie.Value = signature + "-" + token cookie.Path = "/" cookie.Domain = external_host cookie.Expires = time.Now().Add(356 * 24 * time.Hour) cookie.HttpOnly = true http.SetCookie(w, &cookie) http.Redirect(w, r, "/startpage", http.StatusFound) }
func createCookie(key, val string) *http.Cookie { cookie := new(http.Cookie) cookie.Name = key cookie.Value = val cookie.HttpOnly = false cookie.Path = "/" // Without this ang js cant read cookies we send //cookie.Expires = expire return cookie }
func (s *FormsAuthSuite) createCookie(token string) http.Cookie { cookie := http.Cookie{} cookie.Name = FormsAuthenticatorDefaultCookieName cookie.Expires = time.Now().UTC().Add(24 * 365 * time.Hour) cookie.HttpOnly = true cookie.Path = "/" cookie.Value = token return cookie }
func constructCookie(name string, value string) *http.Cookie { cookie := new(http.Cookie) cookie.Name = name cookie.Value = value cookie.Path = "/" cookie.HttpOnly = false cookie.Secure = false return cookie }
func (auth *FormsAuthenticator) createAuthCookie(jwtString string) *http.Cookie { cookie := http.Cookie{} cookie.Name = auth.CookieName cookie.Expires = auth.getCookieExpirationTime() cookie.HttpOnly = true cookie.Path = "/" cookie.Value = jwtString return &cookie }
// parse parses a Set-Cookie header into a cookie. // It supports space in name unlike net/http. // Returns nil if invalid. func parse(s string) *http.Cookie { var c http.Cookie for i, field := range strings.Split(s, ";") { if len(field) == 0 { continue } nv := strings.SplitN(field, "=", 2) name := strings.TrimSpace(nv[0]) value := "" if len(nv) > 1 { value = strings.TrimSpace(nv[1]) } if i == 0 { if len(nv) != 2 { continue } c.Name = name c.Value = value continue } switch strings.ToLower(name) { case "secure": c.Secure = true case "httponly": c.HttpOnly = true case "domain": c.Domain = value case "max-age": secs, err := strconv.Atoi(value) if err != nil || secs != 0 && value[0] == '0' { continue } if secs <= 0 { c.MaxAge = -1 } else { c.MaxAge = secs } case "expires": exptime, err := time.Parse(time.RFC1123, value) if err != nil { exptime, err = time.Parse("Mon, 02-Jan-2006 15:04:05 MST", value) if err != nil { c.Expires = time.Time{} continue } } c.Expires = exptime.UTC() case "path": c.Path = value } } if c.Name == "" { return nil } return &c }
func cookie(val string) *http.Cookie { c := new(http.Cookie) c.Name = config.Cookie c.Value = val c.Domain = config.ServerDomain c.Path = config.CookiePath c.HttpOnly = config.CookieHttpOnly c.Secure = config.CookieSecure return c }
func createBlankCookie(key string) *http.Cookie { cookie := new(http.Cookie) cookie.Name = key cookie.Value = "" l, _ := time.LoadLocation("UTC") cookie.Expires = time.Date(1970, time.January, 1, 0, 0, 0, 0, l) cookie.HttpOnly = false cookie.Path = "/" // Without this ang js cant read cookies we send return cookie }
// set cookie // args: name, value, max age, path, domain, secure, http only, expires func (ctx *Context) SetCookie(name string, value string, others ...interface{}) { cookie := http.Cookie{} cookie.Name = name cookie.Value = url.QueryEscape(value) if len(others) > 0 { switch v := others[0].(type) { case int: cookie.MaxAge = v case int64: cookie.MaxAge = int(v) case int32: cookie.MaxAge = int(v) } } cookie.Path = "/" if len(others) > 1 { if v, ok := others[1].(string); ok && len(v) > 0 { cookie.Path = v } } if len(others) > 2 { if v, ok := others[2].(string); ok && len(v) > 0 { cookie.Domain = v } } if len(others) > 3 { switch v := others[3].(type) { case bool: cookie.Secure = v default: if others[3] != nil { cookie.Secure = true } } } if len(others) > 4 { if v, ok := others[4].(bool); ok && v { cookie.HttpOnly = true } } if len(others) > 5 { if v, ok := others[5].(time.Time); ok { cookie.Expires = v cookie.RawExpires = v.Format(time.UnixDate) } } ctx.w.Header().Add("Set-Cookie", cookie.String()) }
func commitSession(headers Headers, env Env, key, secret string, options *CookieOptions) { cookie := new(http.Cookie) cookie.Name = key cookie.Value = encodeCookie(env["mango.session"].(map[string]interface{}), secret) cookie.Path = options.Path cookie.Domain = options.Domain cookie.MaxAge = options.MaxAge cookie.Secure = options.Secure cookie.HttpOnly = options.HttpOnly headers.Add("Set-Cookie", cookie.String()) }
func commitSession(headers Headers, env Env, key, secret string, newValue string, options *CookieOptions) { cookie := new(http.Cookie) cookie.Name = key cookie.Value = newValue cookie.Path = options.Path cookie.Domain = options.Domain cookie.MaxAge = options.MaxAge cookie.Secure = options.Secure cookie.HttpOnly = options.HttpOnly headers.Add("Set-Cookie", cookie.String()) }
func (ctx *Context) SetCookie(name string, value string, others ...interface{}) { cookie := http.Cookie{} cookie.Name = name cookie.Value = value if len(others) > 0 { switch v := others[0].(type) { case int: cookie.MaxAge = v case int64: cookie.MaxAge = int(v) case int32: cookie.MaxAge = int(v) } } // default "/" if len(others) > 1 { if v, ok := others[1].(string); ok && len(v) > 0 { cookie.Path = v } } else { cookie.Path = "/" } // default empty if len(others) > 2 { if v, ok := others[2].(string); ok && len(v) > 0 { cookie.Domain = v } } // default empty if len(others) > 3 { switch v := others[3].(type) { case bool: cookie.Secure = v default: if others[3] != nil { cookie.Secure = true } } } // default false. for session cookie default true if len(others) > 4 { if v, ok := others[4].(bool); ok && v { cookie.HttpOnly = true } } ctx.Res.Header().Add("Set-Cookie", cookie.String()) }
// createCookie 创建cookie func (this *HttpProcessor) createCookie(name string, id string, expire int) *http.Cookie { var cookieValue = new(http.Cookie) cookieValue.Name = name cookieValue.Value = id cookieValue.Path = "/" cookieValue.HttpOnly = true if expire > 0 { cookieValue.MaxAge = expire cookieValue.Expires = time.Now().Add(time.Second * time.Duration(expire)) } return cookieValue }
func (s sessionResponseWriter) WriteHeader(code int) { if atomic.AddInt32(&s.wroteHeader, 1) == 1 { origCookie, err := s.req.Cookie(s.h.CookieName) var origCookieVal string if err != nil { origCookieVal = "" } else { origCookieVal = origCookie.Value } session := s.h.RS.Get(s.req) if len(session) == 0 { // if we have an empty session, but the // request didn't start out that way, we // assume the user wants us to clear the // session if origCookieVal != "" { //log.Println("clearing cookie") var cookie http.Cookie cookie.Name = s.h.CookieName cookie.Value = "" cookie.Path = "/" // a cookie is expired by setting it // with an expiration time in the past cookie.Expires = time.Unix(0, 0).UTC() http.SetCookie(s, &cookie) } goto write } encoded, gobHash, err := encodeCookie(session, s.h.encKey, s.h.hmacKey) if err != nil { log.Printf("createCookie: %s\n", err) goto write } if bytes.Equal(gobHash, s.h.RS.getHash(s.req)) { //log.Println("not re-setting identical cookie") goto write } var cookie http.Cookie cookie.Name = s.h.CookieName cookie.Value = encoded cookie.Path = s.h.CookiePath cookie.HttpOnly = s.h.RS.HttpOnly cookie.Secure = s.h.RS.Secure http.SetCookie(s, &cookie) } write: s.ResponseWriter.WriteHeader(code) }
// SetCookie set cookie for context func SetCookie(cookie http.Cookie, context *qor.Context) { cookie.HttpOnly = true // set https cookie if context.Request != nil && context.Request.URL.Scheme == "https" { cookie.Secure = true } // set default path if cookie.Path == "" { cookie.Path = "/" } http.SetCookie(context.Writer, &cookie) }
func (res *Response) SetCookie(name string, value string, others ...interface{}) { cookie := http.Cookie{} cookie.Name = name cookie.Value = url.QueryEscape(value) if len(others) > 0 { switch v := others[0].(type) { case int: cookie.MaxAge = v case int64: cookie.MaxAge = int(v) case int32: cookie.MaxAge = int(v) } } cookie.Path = "/" if len(others) > 1 { if v, ok := others[1].(string); ok && len(v) > 0 { cookie.Path = v } } if len(others) > 2 { if v, ok := others[2].(string); ok && len(v) > 0 { cookie.Domain = v } } if len(others) > 3 { switch v := others[3].(type) { case bool: cookie.Secure = v default: if others[3] != nil { cookie.Secure = true } } } if len(others) > 4 { if v, ok := others[4].(bool); ok && v { cookie.HttpOnly = true } } res.Header().Add("Set-Cookie", cookie.String()) }
func ProvideSession(c *gin.Context) { // decodes a session id from cookie or provides a new one if ck, err := c.Request.Cookie("session"); err == nil { c.Set("session", ck.Value) return } newSession := "alfa romeo" c.Set("session", newSession) // c.Writer.C cookie := http.Cookie{} cookie.Name = "session" cookie.Value = newSession cookie.Path = "/" cookie.Expires = time.Now().Add(time.Hour * 24 * 7) cookie.HttpOnly = true http.SetCookie(c.Writer, &cookie) }
func (state *SessionCookieState) createCookie(session *Session) *http.Cookie { cookie := http.Cookie{} cookie.Name = state.SessionKey cookie.Value = session.Id cookie.Path = state.Path cookie.Domain = state.Domain cookie.Secure = state.Secure cookie.HttpOnly = state.HttpOnly if session.IsExpired() { cookie.Expires = time.Now() } else { if state.Expires != 0 { cookie.Expires = time.Now().Add(state.Expires) } } return &cookie }
func defaultHandler(w http.ResponseWriter, r *http.Request, db *sql.DB) { cookieToken, err := r.Cookie("token") if err != nil { if err == http.ErrNoCookie { http.Redirect(w, r, "/auth", http.StatusSeeOther) return } internalServerError(w, err) return } token := auth.NewUserToken() err = token.FromString(cookieToken.Value) if err == nil { err = auth.CheckUserToken(db, token) } if err != nil { if _, ok := err.(auth.AuthError); ok { var c http.Cookie c.Name = "token" c.MaxAge = -1 c.Secure = true c.HttpOnly = true http.SetCookie(w, &c) http.Redirect(w, r, "/", http.StatusSeeOther) return } internalServerError(w, err) return } if r.URL.Path != "/" { http.Redirect(w, r, "/", http.StatusSeeOther) return } chatHandler(w, r, db) }
func TestAddSignedCookie(t *testing.T) { context := MakeTestContext() cookie := new(http.Cookie) cookie.Name = "userId" cookie.Value = "2468" cookie.Path = "/something" cookie.Domain = "domain" cookie.RawExpires = "NOW" cookie.Expires = time.Now() cookie.MaxAge = 123 cookie.Secure = true cookie.HttpOnly = true cookie.Raw = "userId=2468;" signedCookie, err := context.AddSignedCookie(cookie) if err != nil { t.Errorf("AddSignedCookie shouldn't return an error: %s", err) return } assertEqual(t, signedCookie.Name, fmt.Sprintf("%s_signed", cookie.Name), "Cookie name") assertEqual(t, signedCookie.Value, Hash(cookie.Value), "Cookie value (signed)") // assert the rest of the values were also copied assertEqual(t, signedCookie.Path, cookie.Path, "Path") assertEqual(t, signedCookie.Domain, cookie.Domain, "Domain") assertEqual(t, signedCookie.RawExpires, cookie.RawExpires, "RawExpires") assertEqual(t, signedCookie.Expires, cookie.Expires, "Expires") assertEqual(t, signedCookie.MaxAge, cookie.MaxAge, "MaxAge") assertEqual(t, signedCookie.Secure, cookie.Secure, "Secure") assertEqual(t, signedCookie.HttpOnly, cookie.HttpOnly, "HttpOnly") assertEqual(t, signedCookie.Raw, cookie.Raw, "Raw") }
// UserLogin tries to authenticate an existing user using username/ password combination func UserLogin(ctx context.Context, w http.ResponseWriter, req *http.Request) error { var payload userLoginRequest json.NewDecoder(req.Body).Decode(&payload) if payload.Username == "" { return ErrMissingUsername } if payload.Password == "" { return ErrMissingPassword } var loginStore = ctx.Value(UserStoreKey).(userLoginStore) var user, err = loginStore.FindUserByUsername(payload.Username) if err != nil { return ErrInvalidLogin } if !user.PasswordsMatch(payload.Password) { return ErrInvalidLogin } var sessionID, _ = generateRandomString(32) if err := loginStore.UpdateUserWithToken(user.Username, sessionID); err != nil { return err } var ckie *http.Cookie for _, cookie := range req.Cookies() { if cookie.Name == "laravel_session" { ckie = cookie break } } if ckie == nil { ckie = &http.Cookie{ Name: "laravel_session", } } if encryptedSessionID, err := encrypt([]byte(sessionID)); err != nil { return err } else { ckie.Value = string(encryptedSessionID) } ckie.MaxAge = 7200 ckie.Expires = time.Now().Add(7200 * time.Second) ckie.Path = "/" ckie.HttpOnly = true http.SetCookie(w, ckie) w.WriteHeader(http.StatusOK) var data = map[string]string{ "status": "success", } if user.Email.String != "" { data["email"] = user.Email.String } json.NewEncoder(w).Encode(data) return nil }
func (handler *MinSessionHandler) genCookie() (*http.Cookie, error) { log().Debug("minsession generating cookie") handler.assureTableInitialized() var randReadErr error var otherErr error nbytes := make([]byte, minSessionCookieNameRandSize) vbytes := make([]byte, minSessionCookieValueRandSize) cookie_name := "" name_gen_needed := true for name_gen_needed { _, randReadErr = rand.Read(nbytes) if randReadErr != nil { log().Err( "minsession cookie generation was unable to" + " read the needed random bytes", ) return nil, randReadErr } cookie_name = handler.Name + "-" + hex.EncodeToString(nbytes) // Slower than adding an else on the next if, but clearer. name_gen_needed = false _, collision := handler.table[cookie_name] if collision { // We had a collision with an existing legit cookie? // Is the random number generator broken? log().Err( fmt.Sprintf( "minsession cookie generation has"+ " created a new cookie with a name"+ " that collides with an already"+ " existing cookie from the cookie"+ " table which shares the name: %s", cookie_name, ), ) name_gen_needed = true otherErr = rngCollisionError } } _, randReadErr = rand.Read(vbytes) if randReadErr != nil { log().Err( "minsession cookie generation was unable to" + " read the needed random bytes", ) return nil, randReadErr } var cke http.Cookie cke.Name = cookie_name // TODO delete log().Debug(fmt.Sprintf("got %v", handler)) cke.Value = hex.EncodeToString(vbytes) cke.Path = handler.Path cke.Domain = handler.Domain cke.MaxAge = minSessionCookieMaxAge cke.Secure = true cke.HttpOnly = true return &cke, otherErr }
// CSRFWithConfig returns a CSRF middleware with config. // See `CSRF()`. func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc { // Defaults if config.Skipper == nil { config.Skipper = DefaultCSRFConfig.Skipper } if config.TokenLength == 0 { config.TokenLength = DefaultCSRFConfig.TokenLength } if config.TokenLookup == "" { config.TokenLookup = DefaultCSRFConfig.TokenLookup } if config.ContextKey == "" { config.ContextKey = DefaultCSRFConfig.ContextKey } if config.CookieName == "" { config.CookieName = DefaultCSRFConfig.CookieName } if config.CookieMaxAge == 0 { config.CookieMaxAge = DefaultCSRFConfig.CookieMaxAge } // Initialize parts := strings.Split(config.TokenLookup, ":") extractor := csrfTokenFromHeader(parts[1]) switch parts[0] { case "form": extractor = csrfTokenFromForm(parts[1]) case "query": extractor = csrfTokenFromQuery(parts[1]) } return func(next echo.HandlerFunc) echo.HandlerFunc { return func(c echo.Context) error { if config.Skipper(c) { return next(c) } req := c.Request() k, err := c.Cookie(config.CookieName) token := "" if err != nil { // Generate token token = random.String(config.TokenLength) } else { // Reuse token token = k.Value } switch req.Method { case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE: default: // Validate token only for requests which are not defined as 'safe' by RFC7231 clientToken, err := extractor(c) if err != nil { return err } if !validateCSRFToken(token, clientToken) { return echo.NewHTTPError(http.StatusForbidden, "csrf token is invalid") } } // Set CSRF cookie cookie := new(http.Cookie) cookie.Name = config.CookieName cookie.Value = token if config.CookiePath != "" { cookie.Path = config.CookiePath } if config.CookieDomain != "" { cookie.Domain = config.CookieDomain } cookie.Expires = time.Now().Add(time.Duration(config.CookieMaxAge) * time.Second) cookie.Secure = config.CookieSecure cookie.HttpOnly = config.CookieHTTPOnly c.SetCookie(cookie) // Store token in the context c.Set(config.ContextKey, token) // Protect clients from caching the response c.Response().Header().Add(echo.HeaderVary, echo.HeaderCookie) return next(c) } } }
func authHandler(w http.ResponseWriter, r *http.Request, db *sql.DB) { err := r.ParseForm() if err != nil { internalServerError(w, err) return } var username, password string if len(r.PostForm) != 0 { username = r.PostFormValue("username") if !validate.Username(username) { renderAuth(w, errors.New("Bad username")) return } username = sanitize.Username(username) password = r.PostFormValue("password") if !validate.Password(password) { renderAuth(w, errors.New("Bad password")) return } switch { case r.PostFormValue("loginbutton") != "": var token *auth.UserToken token, err = auth.Login(db, username, password) if err != nil { if _, ok := err.(auth.AuthError); ok { renderAuth(w, errors.New("Bad login")) return } internalServerError(w, err) return } var c http.Cookie c.Name = "token" c.Value = token.String() c.MaxAge = 86400 * 7 // a week c.Secure = true c.HttpOnly = true http.SetCookie(w, &c) http.Redirect(w, r, "/", http.StatusSeeOther) return case r.PostFormValue("registerbutton") != "": err = auth.Register(db, username, password) if err != nil { if _, ok := err.(auth.AuthError); ok { renderAuth(w, errors.New("Bad register")) return } internalServerError(w, err) return } http.Redirect(w, r, "/auth", http.StatusSeeOther) return } renderAuth(w, errors.New("Bad request")) return } renderAuth(w, nil) }