summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/authorization.hpp12
-rw-r--r--include/login_routes.hpp12
2 files changed, 14 insertions, 10 deletions
diff --git a/include/authorization.hpp b/include/authorization.hpp
index 9e344d8f07..c078ede23a 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -193,11 +193,13 @@ static std::shared_ptr<persistent_data::UserSession>
cookieValue.find("SESSION=") == std::string::npos)
{
// TODO: change this to not switch to cookie auth
- res.addHeader("Set-Cookie", "XSRF-TOKEN=" + sp->csrfToken +
- "; Secure\r\nSet-Cookie: SESSION=" +
- sp->sessionToken +
- "; Secure; HttpOnly\r\nSet-Cookie: "
- "IsAuthenticated=true; Secure");
+ res.addHeader(
+ "Set-Cookie",
+ "XSRF-TOKEN=" + sp->csrfToken +
+ "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" +
+ sp->sessionToken +
+ "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: "
+ "IsAuthenticated=true; Secure");
BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId
<< " with cookie will be used for this request.";
return sp;
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index d4005599bb..4d42b565be 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp
@@ -167,11 +167,13 @@ inline void requestRoutes(App& app)
// "set-cookie" string into the value header, and get
// the result we want, even though we are technicaly
// declaring two headers here.
- res.addHeader("Set-Cookie",
- "XSRF-TOKEN=" + session->csrfToken +
- "; Secure\r\nSet-Cookie: SESSION=" +
- session->sessionToken +
- "; Secure; HttpOnly");
+ res.addHeader(
+ "Set-Cookie",
+ "XSRF-TOKEN=" + session->csrfToken +
+ "; SameSite=Strict; Secure\r\nSet-Cookie: "
+ "SESSION=" +
+ session->sessionToken +
+ "; SameSite=Strict; Secure; HttpOnly");
}
else
{
generated by cgit v1.2.3 (git 2.39.0) at 2024-07-01 16:49:08 +0300