Add cookiestore session backend

(store in user cookie only)
cloud-gov · Oct 5, 2017 · db39223 · db39223
1 parent 3fa230b
commit db39223
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -52,7 +52,9 @@ cf create-user-provided-service dashboard-ups -p @<(cat <<EOF
   "CONSOLE_CLIENT_ID": "your-client-id",
   "CONSOLE_CLIENT_SECRET": "your-client-secret",
   "CSRF_KEY": "$(openssl rand -hex 32)",
+  "SESSION_BACKEND": "cookiestore",
   "SESSION_AUTHENTICATION_KEY": "$(openssl rand -hex 64)",
+  "SESSION_ENCRYPTION_KEY": "$(openssl rand -hex 32)",
   "SMTP_HOST": "smtp.host.com",
   "SMTP_PORT": "25",
   "SMTP_USER": "username",
@@ -64,12 +66,6 @@ EOF
 )
 ```
 
-Create a redis service instance:
-
-```bash
-cf create-service redis28 standard dashboard-redis
-```
-
 ### Create a Client with UAAC
 
 - Make sure [UAAC](https://github.com/cloudfoundry/cf-uaac) is installed.

diff --git a/helpers/env_vars.go b/helpers/env_vars.go
@@ -66,6 +66,8 @@ var (
 	CSRFKeyEnvVar = "CSRF_KEY"
 	// SessionAuthenticationEnvVar used to sign user sessions. Must be 32 or 64 hex-encoded bytes, e.g. openssl rand -hex 64
 	SessionAuthenticationEnvVar = "SESSION_AUTHENTICATION_KEY"
+	// SessionEncryptionEnvVar used to encrypt user sessions. Used by "SESSION_BACKEND=cookiestore". Must be 16, 24 or 32 hex-encoded bytes, e.g. openssl rand -hex 32
+	SessionEncryptionEnvVar = "SESSION_ENCRYPTION_KEY"
 )
 
 // EnvVars provides a convenient method to access environment variables

diff --git a/helpers/settings.go b/helpers/settings.go
@@ -185,6 +185,23 @@ func (s *Settings) InitSettings(envVars *EnvVars, env *cfenv.App) (retErr error)
 	}
 
 	switch envVars.String(SessionBackendEnvVar, "") {
+	case "cookiestore":
+		sessionEncryptionKey, err := hex.DecodeString(envVars.MustString(SessionEncryptionEnvVar))
+		if err != nil {
+			return err
+		}
+		store := sessions.NewCookieStore(sessionAuthenticationKey, sessionEncryptionKey)
+		store.Options.HttpOnly = true
+		store.Options.Secure = s.SecureCookies
+
+		s.Sessions = store
+		s.SessionBackend = "cookiestore"
+		s.SessionBackendHealthCheck = func() bool { return true }
+
+		// When using cookiestore, we need our cookies to be under 4096 bytes, or they cannot
+		// be stored. Opaque UAA tokens gets us small enough.
+		// See: https://godoc.org/github.com/gorilla/securecookie#SecureCookie.MaxLength
+		s.OpaqueUAATokens = true
 	case "redis":
 		address, password, err := getRedisSettings(env)
 		if err != nil {