mirror of
https://github.com/octoleo/syncthing.git
synced 2024-12-22 19:08:58 +00:00
So that it does not unnecessarily leak over clear text connections.
This commit is contained in:
parent
c76bd7dcc4
commit
2816780b52
@ -108,10 +108,22 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
|
||||
sessionsMut.Lock()
|
||||
sessions[sessionid] = true
|
||||
sessionsMut.Unlock()
|
||||
|
||||
// Best effort detection of whether the connection is HTTPS --
|
||||
// either directly to us, or as used by the client towards a reverse
|
||||
// proxy who sends us headers.
|
||||
connectionIsHTTPS := r.TLS != nil ||
|
||||
strings.ToLower(r.Header.Get("x-forwarded-proto")) == "https" ||
|
||||
strings.Contains(strings.ToLower(r.Header.Get("forwarded")), "proto=https")
|
||||
// If the connection is HTTPS, or *should* be HTTPS, set the Secure
|
||||
// bit in cookies.
|
||||
useSecureCookie := connectionIsHTTPS || guiCfg.UseTLS()
|
||||
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: cookieName,
|
||||
Value: sessionid,
|
||||
MaxAge: 0,
|
||||
Secure: useSecureCookie,
|
||||
})
|
||||
|
||||
emitLoginAttempt(true, username, r.RemoteAddr, evLogger)
|
||||
|
Loading…
Reference in New Issue
Block a user