Iris
Installing IrisGetting Started
Search…
What is Iris
📌Getting started
Installation
Quick start
🔌Routing
Middleware
API Versioning
🗜️Compression
Index
✈️Redirect
Redirect from Context
Rewrite Middleware
Multi Application Instances
🖼️ View/Templates
Documentation
Benchmarks
➲ Examples
📁File Server
Introduction
Listing
In-memory Cache
HTTP/2 Push + Embedded + Cache and Compression
The PrefixDir function
Serve files from Context
➲ Examples
🌎Localization
Documentation
Sitemap
➲ Examples
🛡️Security
Basic Authentication
CORS
Sessions & Cookies
CSRF
JSON Web Tokens
Access Control
Anti-bot CAPTCHA
➲ Examples
🚀Responses
Text
HTML
Markdown
XML
YAML
Binary
JSON
JSONP
Problem
Protocol Buffers
MessagePack
Gzip
Content Negotiation
Stream
Server-Sent Events
HTTP/2 Push
Recorder
Outroduction
➲ Examples
📥
Requests
URL Query
Headers
URL Path Parameters
Form
Text
XML
YAML
Binary
JSON
Validation
Protocol Buffers
MessagePack
Gzip
Outroduction
➲ Examples
💉Dependency Injection
Documentation
Register Dependency from Context
Inputs
Outputs
➲ Examples
🦏MVC
Quick start
Documentation
Handle Errors
Sessions
Websockets
gRPC
➲ Examples
🤓Resources
Examples
Starter Kits
Publications
Benchmarks
Support
📘Contents
Host
Configuration
Routing
HTTP Method Override
HTTP Referrer
URL Query Parameters
Forms
Model Validation
Cache
Cookies
Sessions
Websockets
Sitemap
Localization
Testing
Powered By GitBook
Sessions & Cookies
In this section we will learn how to configure Session cookies (and general HTTP cookies) in a more security-perspective view.

Disable Subdomain Persistence

By default Iris Sessions Manager allows cookie sharing between your root domain and subdomains, for security reasons you may want to disable that behavior with the DisableSubdomainPersistence option:
1
import "github.com/kataras/iris/v12/sessions"
Copied!
1
sess := sessions.New(sessions.Config{
2
Cookie: "_iris_session",
3
AllowReclaim: true,
4
DisableSubdomainPersistence: true,
5
})
6
app.UseRouter(sess.Handler())
Copied!
The Sessions Manager has its own field to configure the session cookie encryption in order to be independent from other cookies sent to the client. You can pass Cookie Options at the sess.Handler(...CookieOption) method too.
Contrariwise, the default cookie options have disabled the cookie sharing across subdomains. When working with HTTP cookies, the SameSite option should be set to http.SameSiteLaxMode and its Domain field to the current site domain in order to enable cookie sharing under a root domain and its subdomains. You can do it by setting the CookieAllowSubdomains Cookie Option to the Iris request Context:
1
CookieAllowSubdomains(cookieNames ...string) CookieOption
Copied!
1
func routeHandler(ctx iris.Context) {
2
ctx.SetCookieKV("name", "value", iris.CookieAllowSubdomains())
3
}
Copied!
1
import "net/http"
2
// [...]
3
4
func routeHandler(ctx iris.Context) {
5
ctx.SetCookie(&iris.Cookie{
6
Name: "name",
7
Value: "value",
8
// Other Fields...
9
}, iris.CookieAllowSubdomains())
10
}
Copied!
Or by using the AddCookieOptions.
1
func middleware(ctx iris.Context) {
2
ctx.AddCookieOptions(iris.CookieAllowSubdomains())
3
ctx.Next()
4
}
5
6
func routeHandler(ctx iris.Context) {
7
ctx.SetCookieKV("name", "value")
8
}
9
10
func main() {
11
app := iris.New()
12
13
app.Use(middleware)
14
app.Get("/", routeHandler)
15
// [...]
16
}
Copied!

Cookie Encryption

Like the CSRF token, we learnt about in the previous sections, you can also secure all cookies in general.
The iris.CookieEncoding option registers a SecureCookie implementation.
1
CookieEncoding(encoding SecureCookie, cookieNames ...string) CookieOption
Copied!
The SecureCookie interface looks like this:
1
type SecureCookie interface {
2
Encode(name string, val interface{}) (string, error)
3
Decode(name string, original string, dest interface{}) error
4
}
Copied!
The SecureCookie interface is 100% compatible with the gorilla/securecookie package. Which is simple and easy to use and it does its job very good.
Let's see how we can integrate it with Iris to safely transmit our cookies to clients. Note that, it's still highly recommended your server runs under TLS (https://).
1. Install the securecookie package:
1
$ go get -u github.com/gorilla/securecookie
Copied!
2. Import it in your code:
1
import "github.com/gorilla/securecookie"
Copied!
3. The securecookie requires hash and block keys, should be NOT shared publically. For the sake of the example we will use generated ones but, keep note that the keys should be persistence across server restarts in production stage in order for cookies to be validated as expected:
1
hashKey := securecookie.GenerateRandomKey(64)
2
blockKey := securecookie.GenerateRandomKey(32)
Copied!
4. Initialize a secure cookie instance:
1
s := securecookie.New(hashKey, blockKey)
Copied!
5. Register it with the Iris CookieEncoding Option, as we've seen below there are several ways, depending when and where you need a cookie option to be applied:
1
import "net/http"
2
// [...]
3
4
func routeHandler(ctx iris.Context) {
5
ctx.SetCookie(&iris.Cookie{
6
Name: "name",
7
Value: "value",
8
}, iris.CookieEncoding(s))
9
}
10
11
func main() {
12
app := iris.New()
13
14
app.Get("/", routeHandler)
15
// [...]
16
}
Copied!
OR to register it on all cookies, using a middleware and calling the AddCookieOption Context method:
1
func routeHandler(ctx iris.Context) {
2
ctx.SetCookie(&iris.Cookie{
3
Name: "name",
4
Value: "value",
5
})
6
}
7
8
func main() {
9
app := iris.New()
10
app.UseRouter(func(ctx iris.Context) {
11
ctx.AddCookieOptions(iris.CookieEncoding(s))
12
ctx.Next()
13
})
14
15
app.Get("/", routeHandler)
16
// [...]
17
}
Copied!

Cookie SameSite

The introduction of the SameSite attribute (defined in RFC6265) allows you to declare if your cookie should be restricted to a first-party or same-site context. It's helpful to understand exactly what 'site' means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.web.dev domain is part of the web.dev site.
If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.
The public suffix list defines this, so it's not just top-level domains like .com but also includes services like github.io. That enables your-project.github.io and my-project.github.io to count as separate sites.
If the user is on your-project.web.dev and requests an image from my-project.github.io that's a cross-site request.
Introducing the SameSite attribute on a cookie provides three different ways to control this behaviour. You can choose to not specify the attribute, or you can use Strict or Lax to limit the cookie to same-site requests.
The SameSite attribute accepts three values:
  • Lax Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
  • Strict Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
  • None Cookies will be sent in all contexts, i.e sending cross-origin is allowed. None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks. None requires the Secure attribute in latest browser versions.
Available Cookie SameSite Values:
  • iris.SameSiteDefaultMode
  • iris.SameSiteLaxMode
  • iris.SameSiteStrictMode
  • iris.SameSiteNoneMode
Set SameSite with SetCookie:
1
ctx.SetCookie(&iris.Cookie{
2
Name: ...,
3
Value: ...,
4
SameSite: iris.SameSiteLaxMode,
5
})
Copied!
Set SameSite with AddCookieOptions:
1
ctx.AddCookieOptions(iris.CookieSameSite(iris.SameSiteLaxMode))
Copied!
Set SameSite with SetCookieKV:
1
ctx.SetCookieKV(name, value, iris.CookieSameSite(iris.SameSiteLaxMode))
Copied!
🛡️Security - Previous
CORS
Next - 🛡️Security
CSRF
Last modified 1yr ago
Export as PDF
Copy link
Contents
Disable Subdomain Persistence
Cookie Encryption
Cookie SameSite