Change Cache-Control Header Setting of *SessionManager.WriteSessionCookie #242
Description
I was reading Session Management Cheat Sheet of OWASP and found this:
Note: The directive Cache-Control: no-cache="Set-Cookie, Set-Cookie2" is sometimes suggested to prevent session ID caching. However, this syntax is not widely supported and may lead to unintended behavior. Instead, use Cache-Control: no-store for stronger protection. Reference: MDN - Cache-Control
@alexedwards How about changing this response header field value from no-cache="Set-Cookie" to no-store?
func (s *SessionManager) WriteSessionCookie(ctx context.Context, w http.ResponseWriter, token string, expiry time.Time) {
cookie := &http.Cookie{
Name: s.Cookie.Name,
Value: token,
Path: s.Cookie.Path,
Domain: s.Cookie.Domain,
Secure: s.Cookie.Secure,
HttpOnly: s.Cookie.HttpOnly,
SameSite: s.Cookie.SameSite,
}
if expiry.IsZero() {
cookie.Expires = time.Unix(1, 0)
cookie.MaxAge = -1
} else if s.Cookie.Persist || s.GetBool(ctx, "__rememberMe") {
cookie.Expires = time.Unix(expiry.Unix()+1, 0) // Round up to the nearest second.
cookie.MaxAge = int(time.Until(expiry).Seconds() + 1) // Round up to the nearest second.
}
w.Header().Add("Set-Cookie", cookie.String())
- w.Header().Add("Cache-Control", `no-cache="Set-Cookie"`)
+ w.Header().Add("Cache-Control", "no-store)
}