Merge pull request #9884 from Piccirello/webui-cookie-samesite

Add SameSite attribute to WebUI session cookie
6 years ago · 70707a2664
1 changed files with 4 additions and 1 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -657,7 +657,10 @@ void WebApplication::sessionStart()
				@@ -657,7 +657,10 @@ void WebApplication::sessionStart()
    QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
    cookie.setHttpOnly(true);
    cookie.setPath(QLatin1String("/"));
-    header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
+    QByteArray cookieRawForm = cookie.toRawForm();
+    if (m_isCSRFProtectionEnabled)
+        cookieRawForm.append("; SameSite=Strict");
+    header(Http::HEADER_SET_COOKIE, cookieRawForm);
 }

 void WebApplication::sessionEnd()