summaryrefslogtreecommitdiff
path: root/app/controllers/sessions/controller.go
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-04-30 12:02:14 -0600
committermo khan <mo@mokhan.ca>2025-04-30 12:02:14 -0600
commit197ef4ee79e7c4881c5c612115326f4e874c9415 (patch)
tree3d79d3556124ffee07a9d4f3791a81cd915f733b /app/controllers/sessions/controller.go
parentb992722e806e45ac3ade8ced829d939299c37c41 (diff)
fix: the CSRF cookie needs to have a same site lax mode
Diffstat (limited to 'app/controllers/sessions/controller.go')
-rw-r--r--app/controllers/sessions/controller.go5
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 8d0e858..5babe7d 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -33,7 +33,10 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
}
url, nonce := c.svc.GenerateRedirectURL()
- http.SetCookie(w, cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute)))
+ cookie := cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute))
+ // This cookie must be sent as part of a redirect that originates from the OIDC Provider
+ cookie.SameSite = http.SameSiteLaxMode
+ http.SetCookie(w, cookie)
http.Redirect(w, r, url, http.StatusFound)
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 10:56:14 +0000