client/web: add security attributes on session cookie

Limit cookies to HTTP requests (not accessible from javascript).
Set SameSite to "Lax", which is similar to "Strict" but allows for
cookies to be included in requests that come from offsite links.  This
will be necessary when we link to the web client from the admin console.

Updates #10261
Fixes tailscale/corp#16265

Signed-off-by: Will Norris <will@tailscale.com>
This commit is contained in:
Will Norris 2023-12-08 10:19:13 -08:00 committed by Will Norris
parent 261b6f1e9f
commit c615fe2296
1 changed files with 13 additions and 5 deletions

View File

@ -494,11 +494,19 @@ func (s *Server) serveAPIAuthSessionNew(w http.ResponseWriter, r *http.Request)
}
// Set the cookie on browser.
http.SetCookie(w, &http.Cookie{
Name: sessionCookieName,
Value: session.ID,
Raw: session.ID,
Path: "/",
Expires: session.expires(),
Name: sessionCookieName,
Value: session.ID,
Raw: session.ID,
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Expires: session.expires(),
// We can't set Secure to true because we serve over HTTP
// (but only on Tailscale IPs, hence over encrypted
// connections that a LAN-local attacker cannot sniff).
// In the future, we could support HTTPS requests using
// the full MagicDNS hostname, and could set this.
// Secure: true,
})
}