Feat: configurations in conf package to control the `SameSite` mode and `Secure` value of the session.

middleware/session.go

@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/cloudreve/Cloudreve/v3/pkg/conf"
 	"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
@@ -30,13 +31,25 @@ func Session(secret string) gin.HandlerFunc {
 		Store = memstore.NewStore([]byte(secret))
 	}
 
+	sameSiteMode := http.SameSiteDefaultMode
+	switch strings.ToLower(conf.CORSConfig.SameSite) {
+	case "default":
+		sameSiteMode = http.SameSiteDefaultMode
+	case "none":
+		sameSiteMode = http.SameSiteNoneMode
+	case "strict":
+		sameSiteMode = http.SameSiteStrictMode
+	case "lax":
+		sameSiteMode = http.SameSiteLaxMode
+	}
+
 	// Also set Secure: true if using SSL, you should though
 	Store.Options(sessions.Options{
 		HttpOnly: true,
 		MaxAge:   7 * 86400,
 		Path:     "/",
-		SameSite: http.SameSiteNoneMode,
-		Secure:   true,
+		SameSite: sameSiteMode,
+		Secure:   conf.CORSConfig.Secure,
 	})
 
 	return sessions.Sessions("cloudreve-session", Store)

pkg/conf/conf.go

@@ -61,6 +61,8 @@ type cors struct {
 	AllowHeaders     []string
 	AllowCredentials bool
 	ExposeHeaders    []string
+	SameSite         string
+	Secure           bool
 }
 
 var cfg *ini.File

pkg/conf/defaults.go

@@ -30,6 +30,8 @@ var CORSConfig = &cors{
 	AllowHeaders:     []string{"Cookie", "X-Cr-Policy", "Authorization", "Content-Length", "Content-Type", "X-Cr-Path", "X-Cr-FileName"},
 	AllowCredentials: false,
 	ExposeHeaders:    nil,
+	SameSite:         "Default",
+	Secure:           false,
 }
 
 // SlaveConfig 从机配置