MEDIUM: Session cookie missing Secure flag — transmitted over HTTP #22

New Issue

clawbot · 2026-02-16T05:47:12+01:00

clawbot commented

2026-02-16 05:47:12 +01:00

Bug

File: internal/service/auth/auth.go, New(), line ~70

Severity: MEDIUM — Session hijacking

Description

The session cookie store is configured without the Secure flag:

store.Options = &sessions.Options{
    Path:     "/",
    MaxAge:   sessionMaxAgeSeconds,
    HttpOnly: true,
    SameSite: http.SameSiteLaxMode,
}

Without Secure: true, the session cookie will be sent over plaintext HTTP connections, making it vulnerable to interception by network attackers (e.g., on shared Wi-Fi).

Suggested Fix

Add Secure: true to the cookie options, or make it configurable based on whether the app is behind TLS:

store.Options = &sessions.Options{
    Path:     "/",
    MaxAge:   sessionMaxAgeSeconds,
    HttpOnly: true,
    Secure:   true,
    SameSite: http.SameSiteLaxMode,
}

## Bug **File:** `internal/service/auth/auth.go`, `New()`, line ~70 **Severity:** MEDIUM — Session hijacking ### Description The session cookie store is configured without the `Secure` flag: ```go store.Options = &sessions.Options{ Path: "/", MaxAge: sessionMaxAgeSeconds, HttpOnly: true, SameSite: http.SameSiteLaxMode, } ``` Without `Secure: true`, the session cookie will be sent over plaintext HTTP connections, making it vulnerable to interception by network attackers (e.g., on shared Wi-Fi). ### Suggested Fix Add `Secure: true` to the cookie options, or make it configurable based on whether the app is behind TLS: ```go store.Options = &sessions.Options{ Path: "/", MaxAge: sessionMaxAgeSeconds, HttpOnly: true, Secure: true, SameSite: http.SameSiteLaxMode, } ```

sneak commented

2026-02-16 06:34:21 +01:00

fixed in #10

sneak closed this issue

2026-02-16 06:34:21 +01:00

Sign in to join this conversation.