diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 68a0aa20d9..896930376c 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1724,8 +1724,8 @@ LEVEL = Info ;; Session cookie name ;COOKIE_NAME = i_like_gitea ;; -;; If you use session in https only, default is false -;COOKIE_SECURE = false +;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL. +;COOKIE_SECURE = ;; ;; Session GC time interval in seconds, default is 86400 (1 day) ;GC_INTERVAL_TIME = 86400 diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index d64fffb028..16e1e8223a 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -772,7 +772,7 @@ and - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]` - `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_. -- `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access. +- `COOKIE_SECURE`:**_empty_**: `true` or `false`. Enable this to force using HTTPS for all session access. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL. - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID. - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds. - `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index 91d2fb8986..9ae8baafcc 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -200,7 +200,7 @@ menu: - `PROVIDER`: Session 内容存储方式,可选 `memory`, `file`, `redis` 或 `mysql`。 - `PROVIDER_CONFIG`: 如果是文件,那么这里填根目录;其他的要填主机地址和端口。 -- `COOKIE_SECURE`: 强制使用 HTTPS 作为session访问。 +- `COOKIE_SECURE`: **_empty_**:`true` 或 `false`。启用此选项以强制在所有会话访问中使用 HTTPS。如果没有设置,当 ROOT_URL 是 https 链接的时候默认设置为 true。 - `GC_INTERVAL_TIME`: Session失效时间。 ## Picture (`picture`) diff --git a/modules/setting/session.go b/modules/setting/session.go index d0bc938973..664c66f869 100644 --- a/modules/setting/session.go +++ b/modules/setting/session.go @@ -50,7 +50,7 @@ func loadSessionFrom(rootCfg ConfigProvider) { } SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea") SessionConfig.CookiePath = AppSubURL + "/" // there was a bug, old code only set CookePath=AppSubURL, no trailing slash - SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(false) + SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(strings.HasPrefix(strings.ToLower(AppURL), "https://")) SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400) SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400) SessionConfig.Domain = sec.Key("DOMAIN").String()