web UI cookie: set the Secure flags if we are over TLS

httpd/auth_utils.go

@@ -107,7 +107,7 @@ func (c *jwtTokenClaims) createTokenResponse(tokenAuth *jwtauth.JWTAuth) (map[st
 	return response, nil
 }
 
-func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jwtauth.JWTAuth) error {
+func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth) error {
 	resp, err := c.createTokenResponse(tokenAuth)
 	if err != nil {
 		return err
@@ -118,6 +118,7 @@ func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jw
 		Path:     webBasePath,
 		Expires:  time.Now().Add(tokenDuration),
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 
 	return nil
@@ -130,6 +131,7 @@ func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request) {
 		Path:     webBasePath,
 		MaxAge:   -1,
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 	invalidateToken(r)
 }

httpd/server.go

@@ -128,7 +128,7 @@ func (s *httpdServer) handleWebLoginPost(w http.ResponseWriter, r *http.Request)
 		Signature:   admin.GetSignature(),
 	}
 
-	err = c.createAndSetCookie(w, s.tokenAuth)
+	err = c.createAndSetCookie(w, r, s.tokenAuth)
 	if err != nil {
 		renderLoginPage(w, err.Error())
 		return
@@ -224,7 +224,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 		}
 	}
 	logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username)
-	tokenClaims.createAndSetCookie(w, s.tokenAuth) //nolint:errcheck
+	tokenClaims.createAndSetCookie(w, r, s.tokenAuth) //nolint:errcheck
 }
 
 func (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {