Use encryption for cookies

2025-08-17 22:13:50 +02:00 · 2020-07-24 16:22:13 +02:00 · 2020-07-24 16:22:13 +02:00 · 5de3767e70
commit 5de3767e70
parent 46e1e9b9f4
5 changed files with 27 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -42,9 +42,10 @@ server:
  - any 
 # if true the server randomly selects a host to connect to
 roundRobin: false 
- # a random string of at least 32 characters to secure cookies on the client
+ # a random strings of at least 32 characters to secure cookies on the client
 # make sure to share this across the different pods
 sessionKey: thisisasessionkeyreplacethisjetzt
+ sessionEncryptionKey: thisisasessionkeyreplacethisnunu!
 # Open ID Connect specific settings
 openId:
 providerUrl: http://keycloak/auth/realms/test
--- a/api/web.go
+++ b/api/web.go
@ -24,18 +24,19 @@ const (
 type TokenGeneratorFunc func(string, string) (string, error)

 type Config struct {
-	SessionKey          []byte
-	TokenGenerator      TokenGeneratorFunc
-	OAuth2Config        *oauth2.Config
-	store               *sessions.CookieStore
-	TokenVerifier       *oidc.IDTokenVerifier
-	stateStore          *cache.Cache
-	Hosts               []string
-	GatewayAddress      string
-	UsernameTemplate    string
-	NetworkAutoDetect   int
-	BandwidthAutoDetect int
-	ConnectionType      int
+	SessionKey           []byte
+	SessionEncryptionKey []byte
+	TokenGenerator       TokenGeneratorFunc
+	OAuth2Config         *oauth2.Config
+	store                *sessions.CookieStore
+	TokenVerifier        *oidc.IDTokenVerifier
+	stateStore           *cache.Cache
+	Hosts                []string
+	GatewayAddress       string
+	UsernameTemplate     string
+	NetworkAutoDetect    int
+	BandwidthAutoDetect  int
+	ConnectionType       int
 }

 func (c *Config) NewApi() {
@ -45,7 +46,7 @@ func (c *Config) NewApi() {
 	if len(c.Hosts) < 1 {
 		log.Fatal("Not enough hosts to connect to specified")
 	}
-	c.store = sessions.NewCookieStore(c.SessionKey)
+	c.store = sessions.NewCookieStore(c.SessionKey, c.SessionEncryptionKey)
 	c.stateStore = cache.New(time.Minute*2, 5*time.Minute)
 }

--- a/config/configuration.go
+++ b/config/configuration.go
@ -10,17 +10,18 @@ type Configuration struct {
 	OpenId   OpenIDConfig
 	Caps     RDGCapsConfig
 	Security SecurityConfig
-	Client	 ClientConfig
+	Client   ClientConfig
 }

 type ServerConfig struct {
-	GatewayAddress string
-	Port           int
-	CertFile       string
-	KeyFile        string
-	Hosts          []string
-	RoundRobin     bool
-	SessionKey     string
+	GatewayAddress       string
+	Port                 int
+	CertFile             string
+	KeyFile              string
+	Hosts                []string
+	RoundRobin           bool
+	SessionKey           string
+	SessionEncryptionKey string
 }

 type OpenIDConfig struct {
--- a/main.go
+++ b/main.go
@ -61,6 +61,7 @@ func main() {
 		TokenVerifier: verifier,
 		TokenGenerator: security.GeneratePAAToken,
 		SessionKey: []byte(conf.Server.SessionKey),
+		SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey),
 		Hosts: conf.Server.Hosts,
 		NetworkAutoDetect: conf.Client.NetworkAutoDetect,
 		UsernameTemplate: conf.Client.UsernameTemplate,
--- a/protocol/handler.go
+++ b/protocol/handler.go
@ -100,7 +100,7 @@ func (h *Handler) Process() error {
 			_, cookie := readCreateTunnelRequest(pkt)
 			if h.VerifyTunnelCreate != nil {
 				if ok, _ := h.VerifyTunnelCreate(h.Session, cookie); !ok {
-					log.Printf("Invalid PAA cookie: %s", cookie)
+					log.Printf("Invalid PAA cookie received")
 					return errors.New("invalid PAA cookie")
 				}
 			}
@ -284,7 +284,6 @@ func readCreateTunnelRequest(data []byte) (caps uint32, cookie string) {
 		r.Read(cookieB)
 		cookie, _ = DecodeUTF16(cookieB)
 	}
-	log.Printf("Create tunnel caps: %d, cookie: %s", caps, cookie)
 	return
 }