6 years ago · 871c84d195
--- a/pkg/api/login.go
+++ b/pkg/api/login.go
@@ -137,7 +137,7 @@ func (hs *HTTPServer) loginUserWithUser(user *m.User, c *m.ReqContext) {
 
				 		hs.log.Error("failed to create auth token", "error", err)
			
 
				 	}
			
 
				 
			
 
				-	middleware.WriteSessionCookie(c, userToken.GetToken(), middleware.OneYearInSeconds)
			
 
				+	middleware.WriteSessionCookie(c, userToken.GetToken(), hs.Cfg.LoginMaxLifetimeDays)
			
 
				 }
			
 
				 
			
 
				 func (hs *HTTPServer) Logout(c *m.ReqContext) {
			
@@ -185,7 +185,8 @@ func (hs *HTTPServer) trySetEncryptedCookie(ctx *m.ReqContext, cookieName string
 
				 		Value:    hex.EncodeToString(encryptedError),
			
 
				 		HttpOnly: true,
			
 
				 		Path:     setting.AppSubUrl + "/",
			
 
				-		Secure:   hs.Cfg.SecurityHTTPSCookies,
			
 
				+		Secure:   hs.Cfg.CookieSecure,
			
 
				+		SameSite: hs.Cfg.CookieSameSite,
			
 
				 	})
			
 
				 
			
 
				 	return nil
			
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -214,7 +214,8 @@ func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value stri
 
				 		Value:    value,
			
 
				 		HttpOnly: true,
			
 
				 		Path:     setting.AppSubUrl + "/",
			
 
				-		Secure:   hs.Cfg.SecurityHTTPSCookies,
			
 
				+		Secure:   hs.Cfg.CookieSecure,
			
 
				+		SameSite: hs.Cfg.CookieSameSite,
			
 
				 	})
			
 
				 }
			
 
				 
			
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -4,6 +4,7 @@ import (
 
				 	"net/http"
			
 
				 	"net/url"
			
 
				 	"strconv"
			
 
				+	"time"
			
 
				 
			
 
				 	"github.com/grafana/grafana/pkg/bus"
			
 
				 	"github.com/grafana/grafana/pkg/components/apikeygen"
			
@@ -168,11 +169,8 @@ func initContextWithBasicAuth(ctx *m.ReqContext, orgId int64) bool {
 
				 	return true
			
 
				 }
			
 
				 
			
 
				-const cookieName = "grafana_session"
			
 
				-const OneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often.
			
 
				-
			
 
				 func initContextWithToken(authTokenService authtoken.UserAuthTokenService, ctx *m.ReqContext, orgID int64) bool {
			
 
				-	rawToken := ctx.GetCookie(cookieName)
			
 
				+	rawToken := ctx.GetCookie(setting.LoginCookieName)
			
 
				 	if rawToken == "" {
			
 
				 		return false
			
 
				 	}
			
@@ -200,26 +198,34 @@ func initContextWithToken(authTokenService authtoken.UserAuthTokenService, ctx *
 
				 	}
			
 
				 
			
 
				 	if rotated {
			
 
				-		WriteSessionCookie(ctx, token.GetToken(), OneYearInSeconds)
			
 
				+		WriteSessionCookie(ctx, token.GetToken(), setting.LoginMaxLifetimeDays)
			
 
				 	}
			
 
				 
			
 
				 	return true
			
 
				 }
			
 
				 
			
 
				-func WriteSessionCookie(ctx *m.ReqContext, value string, maxAge int) {
			
 
				+func WriteSessionCookie(ctx *m.ReqContext, value string, maxLifetimeDays int) {
			
 
				 	if setting.Env == setting.DEV {
			
 
				 		ctx.Logger.Info("new token", "unhashed token", value)
			
 
				 	}
			
 
				 
			
 
				+	var maxAge int
			
 
				+	if maxLifetimeDays <= 0 {
			
 
				+		maxAge = -1
			
 
				+	} else {
			
 
				+		maxAgeHours := (time.Duration(setting.LoginMaxLifetimeDays) * 24 * time.Hour) + time.Hour
			
 
				+		maxAge = int(maxAgeHours.Seconds())
			
 
				+	}
			
 
				+
			
 
				 	ctx.Resp.Header().Del("Set-Cookie")
			
 
				 	cookie := http.Cookie{
			
 
				-		Name:     cookieName,
			
 
				+		Name:     setting.LoginCookieName,
			
 
				 		Value:    url.QueryEscape(value),
			
 
				 		HttpOnly: true,
			
 
				 		Path:     setting.AppSubUrl + "/",
			
 
				-		Secure:   false, // TODO: use setting SecurityHTTPSCookies
			
 
				+		Secure:   setting.CookieSecure,
			
 
				 		MaxAge:   maxAge,
			
 
				-		SameSite: http.SameSiteLaxMode, // TODO: use setting LoginCookieSameSite
			
 
				+		SameSite: setting.CookieSameSite,
			
 
				 	}
			
 
				 
			
 
				 	http.SetCookie(ctx.Resp, &cookie)
			
--- a/pkg/middleware/middleware_test.go
+++ b/pkg/middleware/middleware_test.go
@@ -6,6 +6,7 @@ import (
 
				 	"net/http/httptest"
			
 
				 	"path/filepath"
			
 
				 	"testing"
			
 
				+	"time"
			
 
				 
			
 
				 	msession "github.com/go-macaron/session"
			
 
				 	"github.com/grafana/grafana/pkg/bus"
			
@@ -197,13 +198,17 @@ func TestMiddlewareContext(t *testing.T) {
 
				 				return true, nil
			
 
				 			}
			
 
				 
			
 
				+			maxAgeHours := (time.Duration(setting.LoginMaxLifetimeDays) * 24 * time.Hour)
			
 
				+			maxAge := (maxAgeHours + time.Hour).Seconds()
			
 
				+
			
 
				 			expectedCookie := &http.Cookie{
			
 
				-				Name:     cookieName,
			
 
				+				Name:     setting.LoginCookieName,
			
 
				 				Value:    "rotated",
			
 
				 				Path:     setting.AppSubUrl + "/",
			
 
				 				HttpOnly: true,
			
 
				-				MaxAge:   OneYearInSeconds,
			
 
				-				SameSite: http.SameSiteLaxMode,
			
 
				+				MaxAge:   int(maxAge),
			
 
				+				Secure:   setting.CookieSecure,
			
 
				+				SameSite: setting.CookieSameSite,
			
 
				 			}
			
 
				 
			
 
				 			sc.fakeReq("GET", "/").exec()
			
@@ -545,6 +550,9 @@ func middlewareScenario(desc string, fn scenarioFunc) {
 
				 	Convey(desc, func() {
			
 
				 		defer bus.ClearBusHandlers()
			
 
				 
			
 
				+		setting.LoginCookieName = "grafana_session"
			
 
				+		setting.LoginMaxLifetimeDays = 30
			
 
				+
			
 
				 		sc := &scenarioContext{}
			
 
				 
			
 
				 		viewsPath, _ := filepath.Abs("../../public/views")
			
@@ -655,7 +663,7 @@ func (sc *scenarioContext) exec() {
 
				 
			
 
				 	if sc.tokenSessionCookie != "" {
			
 
				 		sc.req.AddCookie(&http.Cookie{
			
 
				-			Name:  cookieName,
			
 
				+			Name:  setting.LoginCookieName,
			
 
				 			Value: sc.tokenSessionCookie,
			
 
				 		})
			
 
				 	}