diff --git a/server/ctrl/session.go b/server/ctrl/session.go index 2521539d..462ee89f 100644 --- a/server/ctrl/session.go +++ b/server/ctrl/session.go @@ -8,6 +8,7 @@ import ( "github.com/mickael-kerjean/filestash/server/model" "net/http" "net/url" + "strconv" "strings" "time" ) @@ -84,15 +85,31 @@ func SessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Request) { SendErrorResult(res, NewError(err.Error(), 500)) return } - http.SetCookie(res, &http.Cookie{ - Name: COOKIE_NAME_AUTH, - Value: obfuscate, - MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), - Path: COOKIE_PATH, - HttpOnly: true, - SameSite: http.SameSiteStrictMode, - }) - + // split session cookie if greater than 3800 bytes + value_limit := 3800 + index := 0 + end := 0 + for { + if len(obfuscate) >= (index+1)*value_limit { + end = (index + 1) * value_limit + } else { + end = len(obfuscate) + } + http.SetCookie(res, &http.Cookie{ + Name: COOKIE_NAME_AUTH + strconv.Itoa(index), + Value: obfuscate[index*value_limit : end], + MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), + Path: COOKIE_PATH, + HttpOnly: true, + SameSite: http.SameSiteStrictMode, + }) + if end == len(obfuscate) { + break + } else { + Log.Debug("session::auth obfuscate index: %d length: %d total: %d", index, len(obfuscate[index*value_limit:end]), len(obfuscate)) + index++ + } + } if home != "" { SendSuccessResult(res, home) return @@ -116,12 +133,20 @@ func SessionLogout(ctx App, res http.ResponseWriter, req *http.Request) { } })(ctx, res, req) }() - http.SetCookie(res, &http.Cookie{ - Name: COOKIE_NAME_AUTH, - Value: "", - MaxAge: -1, - Path: COOKIE_PATH, - }) + index := 0 + for { + _, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index)) + if err != nil { + break + } + http.SetCookie(res, &http.Cookie{ + Name: COOKIE_NAME_AUTH + strconv.Itoa(index), + Value: "", + MaxAge: -1, + Path: COOKIE_PATH, + }) + index++ + } http.SetCookie(res, &http.Cookie{ Name: COOKIE_NAME_ADMIN, Value: "", diff --git a/server/ctrl/share.go b/server/ctrl/share.go index 5b19dda9..d2f21200 100644 --- a/server/ctrl/share.go +++ b/server/ctrl/share.go @@ -7,6 +7,7 @@ import ( . "github.com/mickael-kerjean/filestash/server/common" "github.com/mickael-kerjean/filestash/server/model" "net/http" + "strconv" "strings" ) @@ -41,11 +42,17 @@ func ShareUpsert(ctx App, res http.ResponseWriter, req *http.Request) { Id: share_id, Auth: func() string { if ctx.Share.Id == "" { - a, err := req.Cookie(COOKIE_NAME_AUTH) - if err != nil { - return "" + str := "" + index := 0 + for { + cookie, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index)) + if err != nil { + break + } + index++ + str += cookie.Value } - return a.Value + return str } return ctx.Share.Auth }(), diff --git a/server/middleware/session.go b/server/middleware/session.go index 59150e2e..4b9f6337 100644 --- a/server/middleware/session.go +++ b/server/middleware/session.go @@ -10,6 +10,7 @@ import ( "github.com/mickael-kerjean/filestash/server/model" "net/http" "regexp" + "strconv" "strings" ) @@ -256,11 +257,19 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) { } return session, err } else { - cookie, err := req.Cookie(COOKIE_NAME_AUTH) - if err != nil { + str := "" + index := 0 + for { + cookie, err := req.Cookie(COOKIE_NAME_AUTH + strconv.Itoa(index)) + if err != nil { + break + } + index++ + str += cookie.Value + } + if str == "" { return session, nil } - str = cookie.Value str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, str) if err != nil { // This typically happen when changing the secret key