Add option to remove tokens from cookie sessions (#673)

* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper

pkg/sessions/cookie/session_store.go

@@ -30,6 +30,7 @@ var _ sessions.SessionStore = &SessionStore{}
 type SessionStore struct {
 	Cookie       *options.Cookie
 	CookieCipher encryption.Cipher
+	Minimal      bool
 }
 
 // Save takes a sessions.SessionState and stores the information from it
@@ -39,7 +40,7 @@ func (s *SessionStore) Save(rw http.ResponseWriter, req *http.Request, ss *sessi
 		now := time.Now()
 		ss.CreatedAt = &now
 	}
-	value, err := cookieForSession(ss, s.CookieCipher)
+	value, err := s.cookieForSession(ss)
 	if err != nil {
 		return err
 	}
@@ -85,8 +86,17 @@ func (s *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) error {
 }
 
 // cookieForSession serializes a session state for storage in a cookie
-func cookieForSession(s *sessions.SessionState, c encryption.Cipher) ([]byte, error) {
-	return s.EncodeSessionState(c, true)
+func (s *SessionStore) cookieForSession(ss *sessions.SessionState) ([]byte, error) {
+	if s.Minimal && (ss.AccessToken != "" || ss.IDToken != "" || ss.RefreshToken != "") {
+		minimal := *ss
+		minimal.AccessToken = ""
+		minimal.IDToken = ""
+		minimal.RefreshToken = ""
+
+		return minimal.EncodeSessionState(s.CookieCipher, true)
+	}
+
+	return ss.EncodeSessionState(s.CookieCipher, true)
 }
 
 // sessionFromCookie deserializes a session from a cookie value
@@ -146,6 +156,7 @@ func NewCookieSessionStore(opts *options.SessionOptions, cookieOpts *options.Coo
 	return &SessionStore{
 		CookieCipher: cipher,
 		Cookie:       cookieOpts,
+		Minimal:      opts.Cookie.Minimal,
 	}, nil
 }