url encode session cookie

deflect-ca · Nov 22, 2023 · a6c53ae · a6c53ae
1 parent 8846252
commit a6c53ae
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/internal/session_cookie.go b/internal/session_cookie.go
@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"log"
 	"math/rand"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -119,14 +120,15 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error {
 	*/
 	clientIp := c.Request.Header.Get("X-Client-IP")
 	dsc, err := c.Cookie(SessionCookieName)
+	urlDecodedDsc, _ := url.QueryUnescape(dsc)
 
 	if err == nil {
 		// cookie exists, validate it
-		validateErr := validateSessionCookie(dsc, config.SessionCookieHmacSecret, time.Now(), clientIp)
+		validateErr := validateSessionCookie(urlDecodedDsc, config.SessionCookieHmacSecret, time.Now(), clientIp)
 		if validateErr == nil || config.SessionCookieNotVerify {
 			// cookie is valid, do not attach cookie but only report dsc_new=false
 			// fmt.Printf("DSC: [%s] cookie %s is valid, report dsc_new=false\n", clientIp, dsc)
-			attachSessionCookie(c, config, dsc, false)
+			attachSessionCookie(c, config, urlDecodedDsc, false)
 		} else {
 			// cookie is invalid, create a new one
 			newDsc := newSessionCookie(config.SessionCookieHmacSecret, config.SessionCookieTtlSeconds, clientIp)
@@ -145,7 +147,8 @@ func sessionCookieEndPoint(c *gin.Context, config *Config) error {
 
 func attachSessionCookie(c *gin.Context, config *Config, dsc string, dsc_new bool) {
 	if dsc_new {
-		c.SetCookie(SessionCookieName, dsc, config.SessionCookieTtlSeconds, "/", "", false, true)
+		urlEncodedDsc := url.QueryEscape(dsc)
+		c.SetCookie(SessionCookieName, urlEncodedDsc, config.SessionCookieTtlSeconds, "/", "", false, true)
 	}
 	// for nginx log
 	c.Header("X-Deflect-Session", dsc)