Added same-site policy for session options

[AH-dark]

Store.Options(sessions.Options{
    HttpOnly: true,
    MaxAge:   7 * 86400,
    Path:     "/",
    SameSite: http.SameSiteNoneMode,
    Secure:   true,
})

[HFO4]

Why do we need this? Smaesite=None requires HTTPS to work, this will break some existing user's application.

[AH-dark]

SameSite=None can save us from deploying the front-end and back-end under a domain name.

You are right, there is such a problem. Maybe we can add a configuration to the conf file for this?

[HFO4]

SameSite=None can save us from deploying the front-end and back-end under a domain name.

You are right, there is such a problem. Maybe we can add a configuration to the conf file for this?

Yes, sounds good to me.

[AH-dark]

So should I put it in the CORS section or open a new section? How do you think it should be?

[HFO4]

So should I put it in the CORS section or open a new section? How do you think it should be?

I think under CORS section is good.

[codecov]

Codecov Report

Merging #1381 (ca0d81c) into master (a188067) will increase coverage by 0.08%.
The diff coverage is 66.66%.

❗ Current head ca0d81c differs from pull request most recent head 6a60081. Consider uploading reports for the commit 6a60081 to get more accurate results

@@            Coverage Diff             @@
##           master    #1381      +/-   ##
==========================================
+ Coverage   89.27%   89.35%   +0.08%     
==========================================
  Files          96       96              
  Lines        8306     8323      +17     
==========================================
+ Hits         7415     7437      +22     
+ Misses        727      723       -4     
+ Partials      164      163       -1     

Impacted Files	Coverage Δ
pkg/conf/conf.go	72.72% <ø> (ø)
middleware/session.go	84.09% <66.66%> (-12.21%)	⬇️
pkg/cluster/pool.go	94.82% <0.00%> (+9.48%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[AH-dark]

I have finished adding the relevant configuration.

By the way, I just learned that the Set-Cookie header also has a directive called Secure, which should correspond to HTTPS. That is, if it is a cross-site request and the request side is an HTTPS site, it should be enable.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

[AH-dark]

@HFO4 Sir, you haven't given me an answer yet!

[HFO4]

There seems to be conflict in go.mod.

[AH-dark]

There seems to be conflict in go.mod.

Solved.

[HFO4]

Thanks!