web UI cookie: set the Secure flags if we are over TLS

2025-12-06 22:30:56 +03:00 · 2021-01-28 13:29:16 +01:00
parent 9985224966
commit afe1da92c5
2 changed files with 5 additions and 3 deletions
--- a/httpd/auth_utils.go
+++ b/httpd/auth_utils.go
@@ -107,7 +107,7 @@ func (c *jwtTokenClaims) createTokenResponse(tokenAuth *jwtauth.JWTAuth) (map[st
 	return response, nil
 }

-func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jwtauth.JWTAuth) error {
+func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth) error {
 	resp, err := c.createTokenResponse(tokenAuth)
 	if err != nil {
 		return err
@@ -118,6 +118,7 @@ func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jw
 		Path:     webBasePath,
 		Expires:  time.Now().Add(tokenDuration),
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})

 	return nil
@@ -130,6 +131,7 @@ func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request) {
 		Path:     webBasePath,
 		MaxAge:   -1,
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 	invalidateToken(r)
 }