diff options
-rw-r--r-- | include/authorization.hpp | 12 | ||||
-rw-r--r-- | include/login_routes.hpp | 12 |
2 files changed, 14 insertions, 10 deletions
diff --git a/include/authorization.hpp b/include/authorization.hpp index 9e344d8f07..c078ede23a 100644 --- a/include/authorization.hpp +++ b/include/authorization.hpp @@ -193,11 +193,13 @@ static std::shared_ptr<persistent_data::UserSession> cookieValue.find("SESSION=") == std::string::npos) { // TODO: change this to not switch to cookie auth - res.addHeader("Set-Cookie", "XSRF-TOKEN=" + sp->csrfToken + - "; Secure\r\nSet-Cookie: SESSION=" + - sp->sessionToken + - "; Secure; HttpOnly\r\nSet-Cookie: " - "IsAuthenticated=true; Secure"); + res.addHeader( + "Set-Cookie", + "XSRF-TOKEN=" + sp->csrfToken + + "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" + + sp->sessionToken + + "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: " + "IsAuthenticated=true; Secure"); BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId << " with cookie will be used for this request."; return sp; diff --git a/include/login_routes.hpp b/include/login_routes.hpp index d4005599bb..4d42b565be 100644 --- a/include/login_routes.hpp +++ b/include/login_routes.hpp @@ -167,11 +167,13 @@ inline void requestRoutes(App& app) // "set-cookie" string into the value header, and get // the result we want, even though we are technicaly // declaring two headers here. - res.addHeader("Set-Cookie", - "XSRF-TOKEN=" + session->csrfToken + - "; Secure\r\nSet-Cookie: SESSION=" + - session->sessionToken + - "; Secure; HttpOnly"); + res.addHeader( + "Set-Cookie", + "XSRF-TOKEN=" + session->csrfToken + + "; SameSite=Strict; Secure\r\nSet-Cookie: " + "SESSION=" + + session->sessionToken + + "; SameSite=Strict; Secure; HttpOnly"); } else { |