From 72aa51c9b4e44034d1e6f151679b9e3912505b5b Mon Sep 17 00:00:00 2001
From: taoshihan <golivechat@outlook.com>
Date: Wed, 3 Sep 2025 16:02:15 +0800
Subject: [PATCH] fix

---
 cmd/server.go         |  3 +--
 middleware/session.go | 30 ++++++++++++++++++++++++++++++
 tools/session.go      | 24 ------------------------
 3 files changed, 31 insertions(+), 26 deletions(-)
 create mode 100644 middleware/session.go
 delete mode 100644 tools/session.go

diff --git a/cmd/server.go b/cmd/server.go
index f0f7b2d..7877247 100644
--- a/cmd/server.go
+++ b/cmd/server.go
@@ -56,9 +56,8 @@ func run() {
 	// Gin engine setup
 	engine := gin.Default()
 	engine.LoadHTMLGlob("static/templates/*")
-	engine.Static("/assets", "./static")
 	engine.Static("/static", "./static")
-	engine.Use(tools.Session("gofly"))
+	engine.Use(middleware.SessionHandler())
 	engine.Use(middleware.CrossSite)
 
 	// Middlewares
diff --git a/middleware/session.go b/middleware/session.go
new file mode 100644
index 0000000..ca46b3e
--- /dev/null
+++ b/middleware/session.go
@@ -0,0 +1,30 @@
+package middleware
+
+import (
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-gonic/gin"
+	"net/http"
+)
+
+// SessionHandler 创建并返回会话中间件
+func SessionHandler() gin.HandlerFunc {
+	store := SessionConfig()
+	return sessions.Sessions("GOFLY", store)
+}
+
+// SessionConfig 配置会话存储
+func SessionConfig() sessions.Store {
+	sessionMaxAge := 3600
+	sessionSecret := "GOFLY"
+
+	store := cookie.NewStore([]byte(sessionSecret))
+	store.Options(sessions.Options{
+		MaxAge:   sessionMaxAge, // seconds
+		Path:     "/",
+		HttpOnly: true,                 // 建议添加，防止XSS攻击
+		Secure:   true,                 // 生产环境建议启用，要求HTTPS
+		SameSite: http.SameSiteLaxMode, // 防止CSRF攻击
+	})
+	return store
+}
diff --git a/tools/session.go b/tools/session.go
deleted file mode 100644
index 8d315c0..0000000
--- a/tools/session.go
+++ /dev/null
@@ -1,24 +0,0 @@
-package tools
-
-import (
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-contrib/sessions/cookie"
-	"github.com/gin-gonic/gin"
-)
-
-// 中间件，处理session
-func Session(keyPairs string) gin.HandlerFunc {
-	store := SessionConfig()
-	return sessions.Sessions(keyPairs, store)
-}
-func SessionConfig() sessions.Store {
-	sessionMaxAge := 3600
-	sessionSecret := "gofly"
-	var store sessions.Store
-	store = cookie.NewStore([]byte(sessionSecret))
-	store.Options(sessions.Options{
-		MaxAge: sessionMaxAge, //seconds
-		Path:   "/",
-	})
-	return store
-}