Feature: Session Only Cookies (#1752)

* feat(ctx): add SessionOnly property on Cookie struct * feat(middleware/config): add CookieSessionOnly property on middleware Config struct * feat(csrf): link config CookieSessionOnly with fiber.Cookie in create middleware function * fix(ctx_test): add tests for SessionOnly cookie in test_ctx_cookie * fix(readme): update readme in csrf middleware for CookieSessionOnly property * remove deprecated property from CookieSessionOnly explaination comments
gofiber · Feb 7, 2022 · 68fcd8c · 68fcd8c
1 parent ad1a925
commit 68fcd8c
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 26 deletions.
diff --git a/ctx.go b/ctx.go
@@ -75,15 +75,16 @@ type Range struct {
 
 // Cookie data for c.Cookie
 type Cookie struct {
-	Name     string    `json:"name"`
-	Value    string    `json:"value"`
-	Path     string    `json:"path"`
-	Domain   string    `json:"domain"`
-	MaxAge   int       `json:"max_age"`
-	Expires  time.Time `json:"expires"`
-	Secure   bool      `json:"secure"`
-	HTTPOnly bool      `json:"http_only"`
-	SameSite string    `json:"same_site"`
+	Name        string    `json:"name"`
+	Value       string    `json:"value"`
+	Path        string    `json:"path"`
+	Domain      string    `json:"domain"`
+	MaxAge      int       `json:"max_age"`
+	Expires     time.Time `json:"expires"`
+	Secure      bool      `json:"secure"`
+	HTTPOnly    bool      `json:"http_only"`
+	SameSite    string    `json:"same_site"`
+	SessionOnly bool      `json:"session_only"`
 }
 
 // Views is the interface that wraps the Render function.
@@ -410,8 +411,13 @@ func (c *Ctx) Cookie(cookie *Cookie) {
 	fcookie.SetValue(cookie.Value)
 	fcookie.SetPath(cookie.Path)
 	fcookie.SetDomain(cookie.Domain)
-	fcookie.SetMaxAge(cookie.MaxAge)
-	fcookie.SetExpire(cookie.Expires)
+	// only set max age and expiry when SessionOnly is false
+	// i.e. cookie supposed to last beyond browser session
+	// refer: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie
+	if !cookie.SessionOnly {
+		fcookie.SetMaxAge(cookie.MaxAge)
+		fcookie.SetExpire(cookie.Expires)
+	}
 	fcookie.SetSecure(cookie.Secure)
 	fcookie.SetHTTPOnly(cookie.HTTPOnly)
 

diff --git a/ctx_test.go b/ctx_test.go
@@ -660,6 +660,14 @@ func Test_Ctx_Cookie(t *testing.T) {
 	cookie.SameSite = CookieSameSiteNoneMode
 	c.Cookie(cookie)
 	utils.AssertEqual(t, expect, string(c.Response().Header.Peek(HeaderSetCookie)))
+
+	expect = "username=john; path=/; secure; SameSite=None"
+	// should remove expires and max-age headers
+	cookie.SessionOnly = true
+	cookie.Expires = expire
+	cookie.MaxAge = 10000
+	c.Cookie(cookie)
+	utils.AssertEqual(t, expect, string(c.Response().Header.Peek(HeaderSetCookie)))
 }
 
 // go test -v -run=^$ -bench=Benchmark_Ctx_Cookie -benchmem -count=4

diff --git a/middleware/csrf/README.md b/middleware/csrf/README.md
@@ -109,6 +109,10 @@ type Config struct {
 	// Optional. Default value "Lax".
 	CookieSameSite string
 
+	// Decides whether cookie should last for only the browser sesison.
+	// Ignores Expiration if set to true
+	CookieSessionOnly bool
+
 	// Expiration is the duration before csrf token will expire
 	//
 	// Optional. Default: 1 * time.Hour

diff --git a/middleware/csrf/config.go b/middleware/csrf/config.go
@@ -53,6 +53,10 @@ type Config struct {
 	// Optional. Default value "Lax".
 	CookieSameSite string
 
+	// Decides whether cookie should last for only the browser sesison.
+	// Ignores Expiration if set to true
+	CookieSessionOnly bool
+
 	// Expiration is the duration before csrf token will expire
 	//
 	// Optional. Default: 1 * time.Hour

diff --git a/middleware/csrf/csrf.go b/middleware/csrf/csrf.go
@@ -48,13 +48,14 @@ func New(config ...Config) fiber.Handler {
 			if manager.getRaw(token) == nil {
 				// Expire cookie
 				c.Cookie(&fiber.Cookie{
-					Name:     cfg.CookieName,
-					Domain:   cfg.CookieDomain,
-					Path:     cfg.CookiePath,
-					Expires:  time.Now().Add(-1 * time.Minute),
-					Secure:   cfg.CookieSecure,
-					HTTPOnly: cfg.CookieHTTPOnly,
-					SameSite: cfg.CookieSameSite,
+					Name:        cfg.CookieName,
+					Domain:      cfg.CookieDomain,
+					Path:        cfg.CookiePath,
+					Expires:     time.Now().Add(-1 * time.Minute),
+					Secure:      cfg.CookieSecure,
+					HTTPOnly:    cfg.CookieHTTPOnly,
+					SameSite:    cfg.CookieSameSite,
+					SessionOnly: cfg.CookieSessionOnly,
 				})
 				return cfg.ErrorHandler(c, errTokenNotFound)
 			}
@@ -71,14 +72,15 @@ func New(config ...Config) fiber.Handler {
 
 		// Create cookie to pass token to client
 		cookie := &fiber.Cookie{
-			Name:     cfg.CookieName,
-			Value:    token,
-			Domain:   cfg.CookieDomain,
-			Path:     cfg.CookiePath,
-			Expires:  time.Now().Add(cfg.Expiration),
-			Secure:   cfg.CookieSecure,
-			HTTPOnly: cfg.CookieHTTPOnly,
-			SameSite: cfg.CookieSameSite,
+			Name:        cfg.CookieName,
+			Value:       token,
+			Domain:      cfg.CookieDomain,
+			Path:        cfg.CookiePath,
+			Expires:     time.Now().Add(cfg.Expiration),
+			Secure:      cfg.CookieSecure,
+			HTTPOnly:    cfg.CookieHTTPOnly,
+			SameSite:    cfg.CookieSameSite,
+			SessionOnly: cfg.CookieSessionOnly,
 		}
 		// Set cookie to response
 		c.Cookie(cookie)