diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index fbaea9dc27367..f0b0cc298b6c1 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1746,8 +1746,8 @@ LEVEL = Info ;; Session cookie name ;COOKIE_NAME = i_like_gitea ;; -;; If you use session in https only, default is false -;COOKIE_SECURE = false +;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL. +;COOKIE_SECURE = ;; ;; Session GC time interval in seconds, default is 86400 (1 day) ;GC_INTERVAL_TIME = 86400 diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 5e88426994fc2..acfb6ce77e653 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -777,7 +777,7 @@ and - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]. Setting `db` will reuse the configuration in `[database]` - `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string. Relative paths will be made absolute against _`AppWorkPath`_. -- `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access. +- `COOKIE_SECURE`:**_empty_**: `true` or `false`. Enable this to force using HTTPS for all session access. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL. - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID. - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds. - `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index defd31dc1c3ef..b3e7d1024a14c 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -742,7 +742,7 @@ Gitea 创建以下非唯一队列: - `PROVIDER`: **memory**:会话存储引擎 \[memory, file, redis, redis-cluster, db, mysql, couchbase, memcache, postgres\]。设置为 `db` 将会重用 `[database]` 的配置信息。 - `PROVIDER_CONFIG`: **data/sessions**:对于文件,为根路径;对于 db,为空(将使用数据库配置);对于其他引擎,为连接字符串。相对路径将根据 _`AppWorkPath`_ 绝对化。 -- `COOKIE_SECURE`: **false**:启用此选项以强制在所有会话访问中使用 HTTPS。 +- `COOKIE_SECURE`: **_empty_**:`true` 或 `false`。启用此选项以强制在所有会话访问中使用 HTTPS。如果没有设置,当 ROOT_URL 是 https 链接的时候默认设置为 true。 - `COOKIE_NAME`: **i\_like\_gitea**:用于会话 ID 的 cookie 名称。 - `GC_INTERVAL_TIME`: **86400**:GC 间隔时间,以秒为单位。 - `SESSION_LIFE_TIME`: **86400**:会话生命周期,以秒为单位,默认为 86400(1 天)。 diff --git a/modules/setting/session.go b/modules/setting/session.go index d0bc938973ac1..664c66f86957d 100644 --- a/modules/setting/session.go +++ b/modules/setting/session.go @@ -50,7 +50,7 @@ func loadSessionFrom(rootCfg ConfigProvider) { } SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea") SessionConfig.CookiePath = AppSubURL + "/" // there was a bug, old code only set CookePath=AppSubURL, no trailing slash - SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(false) + SessionConfig.Secure = sec.Key("COOKIE_SECURE").MustBool(strings.HasPrefix(strings.ToLower(AppURL), "https://")) SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400) SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400) SessionConfig.Domain = sec.Key("DOMAIN").String()