diff --git a/README.md b/README.md
index 9e8e425941ab267b363c2931d4ad2e52633f1d53..aaec99432e825fcf211e527c386681584a33a184 100644
--- a/README.md
+++ b/README.md
@@ -42,9 +42,10 @@ server:
- any
# if true the server randomly selects a host to connect to
roundRobin: false
- # a random string of at least 32 characters to secure cookies on the client
+ # a random strings of at least 32 characters to secure cookies on the client
# make sure to share this across the different pods
sessionKey: thisisasessionkeyreplacethisjetzt
+ sessionEncryptionKey: thisisasessionkeyreplacethisnunu!
# Open ID Connect specific settings
openId:
providerUrl: http://keycloak/auth/realms/test
diff --git a/api/web.go b/api/web.go
index 27abe64ebcc13068484b1835fb2a36afd6306278..7dd24adf57ca07e8ca9f709ab8aecce06009faca 100644
--- a/api/web.go
+++ b/api/web.go
@@ -24,18 +24,19 @@ const (
type TokenGeneratorFunc func(string, string) (string, error)
type Config struct {
- SessionKey []byte
- TokenGenerator TokenGeneratorFunc
- OAuth2Config *oauth2.Config
- store *sessions.CookieStore
- TokenVerifier *oidc.IDTokenVerifier
- stateStore *cache.Cache
- Hosts []string
- GatewayAddress string
- UsernameTemplate string
- NetworkAutoDetect int
- BandwidthAutoDetect int
- ConnectionType int
+ SessionKey []byte
+ SessionEncryptionKey []byte
+ TokenGenerator TokenGeneratorFunc
+ OAuth2Config *oauth2.Config
+ store *sessions.CookieStore
+ TokenVerifier *oidc.IDTokenVerifier
+ stateStore *cache.Cache
+ Hosts []string
+ GatewayAddress string
+ UsernameTemplate string
+ NetworkAutoDetect int
+ BandwidthAutoDetect int
+ ConnectionType int
}
func (c *Config) NewApi() {
@@ -45,7 +46,7 @@ func (c *Config) NewApi() {
if len(c.Hosts) < 1 {
log.Fatal("Not enough hosts to connect to specified")
}
- c.store = sessions.NewCookieStore(c.SessionKey)
+ c.store = sessions.NewCookieStore(c.SessionKey, c.SessionEncryptionKey)
c.stateStore = cache.New(time.Minute*2, 5*time.Minute)
}
diff --git a/config/configuration.go b/config/configuration.go
index db752890449b0e88b3d186761cf87082321f3e22..55da5ea867f74ddf835658c19d0be414a36c269e 100644
--- a/config/configuration.go
+++ b/config/configuration.go
@@ -10,17 +10,18 @@ type Configuration struct {
OpenId OpenIDConfig
Caps RDGCapsConfig
Security SecurityConfig
- Client ClientConfig
+ Client ClientConfig
}
type ServerConfig struct {
- GatewayAddress string
- Port int
- CertFile string
- KeyFile string
- Hosts []string
- RoundRobin bool
- SessionKey string
+ GatewayAddress string
+ Port int
+ CertFile string
+ KeyFile string
+ Hosts []string
+ RoundRobin bool
+ SessionKey string
+ SessionEncryptionKey string
}
type OpenIDConfig struct {
diff --git a/main.go b/main.go
index 9cc83818face411232ded9ff1e04045c006e7a81..f59dd120400c1d10faebe895d0ed818ced45f9a2 100644
--- a/main.go
+++ b/main.go
@@ -61,6 +61,7 @@ func main() {
TokenVerifier: verifier,
TokenGenerator: security.GeneratePAAToken,
SessionKey: []byte(conf.Server.SessionKey),
+ SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey),
Hosts: conf.Server.Hosts,
NetworkAutoDetect: conf.Client.NetworkAutoDetect,
UsernameTemplate: conf.Client.UsernameTemplate,
diff --git a/protocol/handler.go b/protocol/handler.go
index 4437b3a15f50bdb8d45013de728047c3d03f6328..5ee4468241e96703a891cac1eeaca589267ec76d 100644
--- a/protocol/handler.go
+++ b/protocol/handler.go
@@ -100,7 +100,7 @@ func (h *Handler) Process() error {
_, cookie := readCreateTunnelRequest(pkt)
if h.VerifyTunnelCreate != nil {
if ok, _ := h.VerifyTunnelCreate(h.Session, cookie); !ok {
- log.Printf("Invalid PAA cookie: %s", cookie)
+ log.Printf("Invalid PAA cookie received")
return errors.New("invalid PAA cookie")
}
}
@@ -284,7 +284,6 @@ func readCreateTunnelRequest(data []byte) (caps uint32, cookie string) {
r.Read(cookieB)
cookie, _ = DecodeUTF16(cookieB)
}
- log.Printf("Create tunnel caps: %d, cookie: %s", caps, cookie)
return
}