mirror of
https://github.com/zitadel/oidc.git
synced 2026-05-22 11:50:07 -05:00
Tim Möhlmann
d016375fa6
Fix for [https://github.com/zitadel/oidc/security/code-scanning/5](https://github.com/zitadel/oidc/security/code-scanning/5) To fix the problem in general, any cookie that stores authentication or authorization-related data and is not intended to be accessed by client-side JavaScript should be created with `HttpOnly: true`. In Go, this is done by setting the `HttpOnly` field on the `http.Cookie` struct. In this specific file, the cookie is created in `loginHandler` at lines 164–169. We should update the `http.Cookie` literal to include `HttpOnly: true`. This leaves the rest of the behavior unchanged: same name, value, path, and use of `securecookie` for encoding. No other code changes are required, and no new imports are needed, because `HttpOnly` is already part of the `net/http` standard library’s `Cookie` struct. Concretely: - In `example/server/exampleop/device.go`, locate the cookie creation in `loginHandler`. - Modify the struct literal for `cookie` to add `HttpOnly: true`. - Keep `Name`, `Value`, and `Path` as they are. This single change will address all three CodeQL alert variants, since they all refer to the same cookie. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>