Add SameSite setting for cookies (#14900)

Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-10-31 21:28:11 +09:00 · 2021-03-07 08:12:43 +00:00
parent beed5476e2
commit 9b261f52f0
14 changed files with 184 additions and 45 deletions
--- a/modules/web/middleware/locale.go
+++ b/modules/web/middleware/locale.go
@@ -7,6 +7,7 @@ package middleware
 import (
 	"net/http"

+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/translation"

 	"github.com/unknwon/i18n"
@@ -42,8 +43,30 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale {
 	}

 	if changeLang {
-		SetCookie(resp, "lang", lang, 1<<31-1)
+		SetLocaleCookie(resp, lang, 1<<31-1)
 	}

 	return translation.NewLocale(lang)
 }
+
+// SetLocaleCookie convenience function to set the locale cookie consistently
+func SetLocaleCookie(resp http.ResponseWriter, lang string, expiry int) {
+	SetCookie(resp, "lang", lang, expiry,
+		setting.AppSubURL,
+		setting.SessionConfig.Domain,
+		setting.SessionConfig.Secure,
+		true,
+		SameSite(setting.SessionConfig.SameSite))
+}
+
+// DeleteLocaleCookie convenience function to delete the locale cookie consistently
+// Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+func DeleteLocaleCookie(resp http.ResponseWriter) {
+	SetCookie(resp, "lang", "",
+		-1,
+		setting.AppSubURL,
+		setting.SessionConfig.Domain,
+		setting.SessionConfig.Secure,
+		true,
+		SameSite(setting.SessionConfig.SameSite))
+}