fix: do not panic if cookiemanager returns a nil cookie

Closes #1695

session/manager_http.go

@@ -52,7 +52,11 @@ func (s *ManagerHTTP) CreateAndIssueCookie(ctx context.Context, w http.ResponseW
 }
 
 func (s *ManagerHTTP) IssueCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error {
-	cookie, _ := s.r.CookieManager(r.Context()).Get(r, s.cookieName(ctx))
+	cookie, err := s.r.CookieManager(r.Context()).Get(r, s.cookieName(ctx))
+	// Fix for https://github.com/ory/kratos/issues/1695
+	if err != nil && cookie == nil {
+		return errors.WithStack(err)
+	}
 
 	if s.r.Config(ctx).SessionPath() != "" {
 		cookie.Options.Path = s.r.Config(ctx).SessionPath()

session/manager_http_test.go

@@ -166,6 +166,28 @@ func TestManagerHTTP(t *testing.T) {
 			assert.EqualValues(t, http.StatusOK, res.StatusCode)
 		})
 
+		t.Run("case=no panic on invalid cookie name", func(t *testing.T) {
+			conf.MustSet(config.ViperKeySessionLifespan, "1m")
+			conf.MustSet(config.ViperKeySessionName, "$%˜\"")
+			t.Cleanup(func() {
+				conf.MustSet(config.ViperKeySessionName, "")
+			})
+
+			rp.GET("/session/set/invalid", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+				require.Error(t, reg.SessionManager().CreateAndIssueCookie(r.Context(), w, r, s))
+				w.WriteHeader(http.StatusInternalServerError)
+			})
+
+			i := identity.Identity{Traits: []byte("{}")}
+			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), &i))
+			s, _ = session.NewActiveSession(&i, conf, time.Now())
+
+			c := testhelpers.NewClientWithCookies(t)
+			res, err := c.Get(pts.URL + "/session/set/invalidç")
+			require.NoError(t, err)
+			assert.EqualValues(t, http.StatusInternalServerError, res.StatusCode)
+		})
+
 		t.Run("case=valid and uses x-session-cookie", func(t *testing.T) {
 			conf.MustSet(config.ViperKeySessionLifespan, "1m")