Browse Source

Add SameSite attribute to WebUI session cookie

This attribute prevents the cookie from being submitted on any cross-site request, strongly limiting CSRF.

Closes #9877.
adaptive-webui-19844
Thomas Piccirello 6 years ago
parent
commit
cd47380b85
  1. 5
      src/webui/webapplication.cpp

5
src/webui/webapplication.cpp

@ -656,7 +656,10 @@ void WebApplication::sessionStart() @@ -656,7 +656,10 @@ void WebApplication::sessionStart()
QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
cookie.setHttpOnly(true);
cookie.setPath(QLatin1String("/"));
header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
QByteArray cookieRawForm = cookie.toRawForm();
if (m_isCSRFProtectionEnabled)
cookieRawForm.append("; SameSite=Strict");
header(Http::HEADER_SET_COOKIE, cookieRawForm);
}
void WebApplication::sessionEnd()

Loading…
Cancel
Save