Added same-site policy for session options (#1381)

* Feat: added same-site policy for session options * Feat: configurations in conf package to control the `SameSite` mode and `Secure` value of the session. Co-authored-by: AaronLiu <abslant@126.com>
2026-01-26 09:34:57 +08:00 · 2022-12-16 13:59:26 +08:00
parent fd59d1b5ca
commit 74e1bd6a43
5 changed files with 90 additions and 18 deletions
--- a/middleware/session.go
+++ b/middleware/session.go
@@ -1,6 +1,9 @@
 package middleware

 import (
+	"net/http"
+	"strings"
+
 	"github.com/cloudreve/Cloudreve/v3/pkg/conf"
 	"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
 	"github.com/cloudreve/Cloudreve/v3/pkg/util"
@@ -28,9 +31,27 @@ func Session(secret string) gin.HandlerFunc {
 		Store = memstore.NewStore([]byte(secret))
 	}

+	sameSiteMode := http.SameSiteDefaultMode
+	switch strings.ToLower(conf.CORSConfig.SameSite) {
+	case "default":
+		sameSiteMode = http.SameSiteDefaultMode
+	case "none":
+		sameSiteMode = http.SameSiteNoneMode
+	case "strict":
+		sameSiteMode = http.SameSiteStrictMode
+	case "lax":
+		sameSiteMode = http.SameSiteLaxMode
+	}
+
 	// Also set Secure: true if using SSL, you should though
-	// TODO:same-site policy
-	Store.Options(sessions.Options{HttpOnly: true, MaxAge: 60 * 86400, Path: "/"})
+	Store.Options(sessions.Options{
+		HttpOnly: true,
+		MaxAge:   60 * 86400,
+		Path:     "/",
+		SameSite: sameSiteMode,
+		Secure:   conf.CORSConfig.Secure,
+	})
+
 	return sessions.Sessions("cloudreve-session", Store)
 }