Set cookies to SameSiteStrictMode, set OAuth cookie to SameSiteLaxMode

Forceu · Forceu · commit 6af3b5277073 · 2026-03-23T18:27:56.000+01:00
diff --git a/internal/webserver/authentication/csrftoken/CsrfToken.go b/internal/webserver/authentication/csrftoken/CsrfToken.go
@@ -14,8 +14,8 @@ var cleanupOnce sync.Once
 const ttl = 5 * time.Minute
 
 const (
-	TypeLogin = iota
-	TypeApiToken
+	TypeLogin    = iota
+	TypeApiToken // currently not used
 )
 
 type csrfToken struct {
@@ -45,7 +45,7 @@ func IsValid(tokenType int, tokenId string) bool {
 	if !ok {
 		return false
 	}
-	delete(tokens, tokenId)
+	delete(tokens, tokenId) //always deletes token, even if it was wrong type
 	if token.Type != tokenType {
 		return false
 	}
diff --git a/internal/webserver/authentication/oauth/Oauth.go b/internal/webserver/authentication/oauth/Oauth.go
@@ -119,6 +119,7 @@ func setCallbackCookie(w http.ResponseWriter, value string) {
 		Value:    value,
 		MaxAge:   int(time.Hour.Seconds()),
 		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
 	}
 	http.SetCookie(w, c)
 }
diff --git a/internal/webserver/authentication/sessionmanager/SessionManager.go b/internal/webserver/authentication/sessionmanager/SessionManager.go
@@ -88,7 +88,7 @@ func writeSessionCookie(w http.ResponseWriter, sessionString string, expiry time
 		Value:    sessionString,
 		Expires:  expiry,
 		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
+		SameSite: http.SameSiteStrictMode,
 	}
 	http.SetCookie(w, c)
 }

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ var cleanupOnce sync.Once`
`14`	`14`	`const ttl = 5 * time.Minute`
`15`	`15`
`16`	`16`	`const (`
`17`		`- TypeLogin = iota`
`18`		`- TypeApiToken`
	`17`	`+ TypeLogin = iota`
	`18`	`+ TypeApiToken // currently not used`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	`type csrfToken struct {`
`@@ -45,7 +45,7 @@ func IsValid(tokenType int, tokenId string) bool {`
`45`	`45`	`if !ok {`
`46`	`46`	`return false`
`47`	`47`	`}`
`48`		`- delete(tokens, tokenId)`
	`48`	`+ delete(tokens, tokenId) //always deletes token, even if it was wrong type`
`49`	`49`	`if token.Type != tokenType {`
`50`	`50`	`return false`
`51`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ func setCallbackCookie(w http.ResponseWriter, value string) {`
`119`	`119`	`Value: value,`
`120`	`120`	`MaxAge: int(time.Hour.Seconds()),`
`121`	`121`	`HttpOnly: true,`
	`122`	`+ SameSite: http.SameSiteLaxMode,`
`122`	`123`	`}`
`123`	`124`	`http.SetCookie(w, c)`
`124`	`125`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func writeSessionCookie(w http.ResponseWriter, sessionString string, expiry time`
`88`	`88`	`Value: sessionString,`
`89`	`89`	`Expires: expiry,`
`90`	`90`	`HttpOnly: true,`
`91`		`- SameSite: http.SameSiteLaxMode,`
	`91`	`+ SameSite: http.SameSiteStrictMode,`
`92`	`92`	`}`
`93`	`93`	`http.SetCookie(w, c)`
`94`	`94`	`}`