feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
author: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
commit: b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree: 30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/cfg/cfg.go
parent: e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/app/cfg/cfg.go b/app/cfg/cfg.go
index ee6fffe..5b3025e 100644
--- a/app/cfg/cfg.go
+++ b/app/cfg/cfg.go
@@ -13,3 +13,6 @@ var OIDCIssuer string = env.Fetch("OIDC_ISSUER", "https://gitlab.com")
 var OAuthClientID string = env.Fetch("OAUTH_CLIENT_ID", "client_id")
 var OAuthClientSecret string = env.Fetch("OAUTH_CLIENT_SECRET", "client_secret")
 var OAuthRedirectURL string = env.Fetch("OAUTH_REDIRECT_URL", "http://localhost:8080/session/callback")
+
+var SessionCookie string = "__Host-session"
+var CSRFCookie string = "__Host-csrf"
author	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
commit	b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree	30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/cfg/cfg.go
parent	e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)