6 år sedan · a6bd2c73a0
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -113,6 +113,9 @@ cache_mode = private
 
				 # Login cookie name
			
 
				 cookie_name = grafana_session
			
 
				 
			
 
				+# Login cookie same site setting. defaults to `lax`. can be set to "lax", "strict" and "none"
			
 
				+cookie_samesite = lax
			
 
				+
			
 
				 # How many days an session can be unused before we inactivate it
			
 
				 login_remember_days = 7
			
 
				 
			
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -109,6 +109,9 @@ log_queries =
 
				 # Login cookie name
			
 
				 ;cookie_name = grafana_session
			
 
				 
			
 
				+# Login cookie same site setting. defaults to `lax`. can be set to "lax", "strict" and "none"
			
 
				+;cookie_samesite = lax
			
 
				+
			
 
				 # How many days an session can be unused before we inactivate it
			
 
				 ;login_remember_days = 7
			
 
				 
			
--- a/pkg/services/auth/auth_token.go
+++ b/pkg/services/auth/auth_token.go
@@ -96,6 +96,7 @@ func (s *UserAuthTokenServiceImpl) writeSessionCookie(ctx *models.ReqContext, va
 
				 		Path:     setting.AppSubUrl + "/",
			
 
				 		Secure:   s.Cfg.SecurityHTTPSCookies,
			
 
				 		MaxAge:   maxAge,
			
 
				+		SameSite: s.Cfg.LoginCookieSameSite,
			
 
				 	}
			
 
				 
			
 
				 	http.SetCookie(ctx.Resp, &cookie)
			
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -6,6 +6,7 @@ package setting
 
				 import (
			
 
				 	"bytes"
			
 
				 	"fmt"
			
 
				+	"net/http"
			
 
				 	"net/url"
			
 
				 	"os"
			
 
				 	"path"
			
@@ -227,6 +228,7 @@ type Cfg struct {
 
				 	LoginCookieMaxDays                int
			
 
				 	LoginCookieRotation               int
			
 
				 	LoginDeleteExpiredTokensAfterDays int
			
 
				+	LoginCookieSameSite               http.SameSite
			
 
				 
			
 
				 	SecurityHTTPSCookies bool
			
 
				 }
			
@@ -557,6 +559,20 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 
				 	cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
			
 
				 	cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
			
 
				 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
			
 
				+
			
 
				+	samesiteString := login.Key("cookie_samesite").MustString("lax")
			
 
				+	validSameSiteValues := map[string]http.SameSite{
			
 
				+		"lax":    http.SameSiteLaxMode,
			
 
				+		"strict": http.SameSiteStrictMode,
			
 
				+		"none":   http.SameSiteDefaultMode,
			
 
				+	}
			
 
				+
			
 
				+	if samesite, ok := validSameSiteValues[samesiteString]; ok {
			
 
				+		cfg.LoginCookieSameSite = samesite
			
 
				+	} else {
			
 
				+		cfg.LoginCookieSameSite = http.SameSiteLaxMode
			
 
				+	}
			
 
				+
			
 
				 	cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(10)
			
 
				 	if cfg.LoginCookieRotation < 2 {
			
 
				 		cfg.LoginCookieRotation = 2