Skip to content

Commit 233ef45

Browse files
rsbhrsbh
authored
Revert "Revert "fix: cookie setup and cleanup in connect rpc server"" (#1159)
1 parent b8783c2 commit 233ef45

File tree

1 file changed

+24
-13
lines changed

1 file changed

+24
-13
lines changed

pkg/server/connect_interceptors/session.go

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ package connectinterceptors
22

33
import (
44
"context"
5-
"fmt"
65
"net/http"
76
"strings"
87
"time"
@@ -144,12 +143,18 @@ func (s *SessionInterceptor) UnaryConnectResponseInterceptor() connect.UnaryInte
144143
}
145144

146145
// set cookie in response with all required attributes
147-
cookie := fmt.Sprintf("%s=%s; Path=/; Domain=%s; HttpOnly; SameSite=%v; Secure",
148-
consts.SessionRequestKey,
149-
encodedSession,
150-
s.conf.Domain,
151-
CookieSameSite(s.conf.SameSite))
152-
resp.Header().Set("Set-Cookie", cookie)
146+
cookie := http.Cookie{
147+
Domain: s.conf.Domain,
148+
Name: consts.SessionRequestKey,
149+
Value: encodedSession,
150+
Path: "/",
151+
Expires: time.Now().UTC().Add(s.conf.Validity),
152+
MaxAge: int(s.conf.Validity.Seconds()),
153+
HttpOnly: true,
154+
SameSite: CookieSameSite(s.conf.SameSite),
155+
Secure: s.conf.Secure,
156+
}
157+
resp.Header().Set("Set-Cookie", cookie.String())
153158

154159
// delete the gateway headers to not expose any grpc-metadata in http response
155160
resp.Header().Del(consts.SessionIDGatewayKey)
@@ -162,12 +167,18 @@ func (s *SessionInterceptor) UnaryConnectResponseInterceptor() connect.UnaryInte
162167
resp.Header().Del(consts.SessionDeleteGatewayKey)
163168

164169
// Set an expired cookie to clear it
165-
cookie := fmt.Sprintf("%s=; Path=/; Domain=%s; Expires=%s; MaxAge=-1; HttpOnly; SameSite=%v; Secure",
166-
consts.SessionRequestKey,
167-
s.conf.Domain,
168-
time.Now().UTC().Format(time.RFC1123),
169-
CookieSameSite(s.conf.SameSite))
170-
resp.Header().Set("Set-Cookie", cookie)
170+
cookie := http.Cookie{
171+
Domain: s.conf.Domain,
172+
Name: consts.SessionRequestKey,
173+
Value: "",
174+
Path: "/",
175+
Expires: time.Now().UTC(),
176+
MaxAge: -1,
177+
HttpOnly: true,
178+
SameSite: CookieSameSite(s.conf.SameSite),
179+
Secure: s.conf.Secure,
180+
}
181+
resp.Header().Set("Set-Cookie", cookie.String())
171182
}
172183

173184
// did the gRPC method set location redirect key in metadata?

0 commit comments

Comments
 (0)