Cookie Security Issues

I mentioned these points in #73 (closed). The bug itself got fixed but the security items were not, so I'm posting them again here. Since cookies are used for authentication, these should be addressed.

• Authentication cookies don't need to be accessible to JavaScript on the client side. Having them accessible via JavaScript leaves the system open to XSS attacks whereby a malicious script can directly access the user's authentication cookies. Cookies should be set on the server, using the http.SetCookie function in a page handler, and should have the HttpOnly property set to true. This makes it so JavaScript cannot read/write the cookie values, but the cookies are still submitted with ajax requests via XmlHttpRequest.

• If the base URL for Commento is prefixed with https, the Secure property should be set to true so that cookies are not sent over unencrypted/insecure connections.

• If the base URL for Commento contains a subdirectory, the Path property on the cookie should be set to that path. This prevents an application at example.com/foo from receiving and/or manipulating a Commento cookie from example.com/commento. All paths under Path still receive the cookie, so Commento should not be affected by the change.

• Administrative cookies should ideally be separate from commenting cookies, and the administrative cookies should have SameSite set to true. This is an experimental (not widely adopted) property that tells browsers to send the cookie only when the requesting origin is the same as origin being requested. So the admin cookie is only sent when accessing the Commento admin page, but not any site being served comments by Commento. This can be made more secure by changing the Path property on this cookie to match only the administrative pages.

• Cookies should be secured against modification. I'm using gorilla/securecookie in my own projects, as this makes it easy to validate the cookie with HMAC and optionally encrypt the contents before sending to the client.