fix: Cookie 启用 httponly (#3941)

9 months ago · 50a83e7e11
2 changed files with 4 additions and 4 deletions
--- a/backend/app/service/auth.go
+++ b/backend/app/service/auth.go
@ -133,7 +133,7 @@ func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) (
 	sessionUser, err := global.SESSION.Get(sID)
 	if err != nil {
 		sID = uuid.New().String()
-		c.SetCookie(constant.SessionName, sID, 0, "", "", httpsSetting.Value == "enable", false)
+		c.SetCookie(constant.SessionName, sID, 0, "", "", httpsSetting.Value == "enable", true)
 		err := global.SESSION.Set(sID, sessionUser, lifeTime)
 		if err != nil {
 			return nil, err
@ -154,7 +154,7 @@ func (u *AuthService) LogOut(c *gin.Context) error {
 	}
 	sID, _ := c.Cookie(constant.SessionName)
 	if sID != "" {
-		c.SetCookie(constant.SessionName, sID, -1, "", "", httpsSetting.Value == "enable", false)
+		c.SetCookie(constant.SessionName, sID, -1, "", "", httpsSetting.Value == "enable", true)
 		err := global.SESSION.Delete(sID)
 		if err != nil {
 			return err
--- a/backend/app/service/setting.go
+++ b/backend/app/service/setting.go
@ -199,7 +199,7 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error {
 		_ = os.Remove(path.Join(secretDir, "server.crt"))
 		_ = os.Remove(path.Join(secretDir, "server.key"))
 		sID, _ := c.Cookie(constant.SessionName)
-		c.SetCookie(constant.SessionName, sID, 0, "", "", false, false)
+		c.SetCookie(constant.SessionName, sID, 0, "", "", false, true)

 		go func() {
 			_, err := cmd.Exec("systemctl restart 1panel.service")
@ -294,7 +294,7 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error {
 	}

 	sID, _ := c.Cookie(constant.SessionName)
-	c.SetCookie(constant.SessionName, sID, 0, "", "", true, false)
+	c.SetCookie(constant.SessionName, sID, 0, "", "", true, true)
 	go func() {
 		time.Sleep(1 * time.Second)
 		_, err := cmd.Exec("systemctl restart 1panel.service")