From 07c3db2c46b452795e2b0f2292f79fbc2b3acf40 Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Sat, 25 Aug 2018 02:29:26 +0200
Subject: [PATCH] [fix] CVE CSRF with cookie setting

---
 helpers.lua | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index ea7f67b..6d02309 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -146,7 +146,9 @@ function set_auth_cookie(user, domain)
     local cookie_str = "; Domain=."..domain..
                        "; Path=/"..
                        "; Expires="..os.date("%a, %d %b %Y %X UTC;", expire)..
-                       "; Secure"
+                       "; Secure"..
+                       "; HttpOnly"..
+                       "; SameSite=Strict"
 
     ngx.header["Set-Cookie"] = {
         "SSOwAuthUser="..user..cookie_str,
@@ -165,7 +167,9 @@ function delete_cookie()
         local cookie_str = "; Domain=."..domain..
                            "; Path=/"..
                            "; Expires="..expired_time..
-                           "; Secure"
+                           "; Secure"..
+                           "; HttpOnly"..
+                           "; SameSite=Strict"
         ngx.header["Set-Cookie"] = {
             "SSOwAuthUser="..cookie_str,
             "SSOwAuthHash="..cookie_str,
@@ -180,7 +184,9 @@ function delete_redirect_cookie()
     local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;"
     local cookie_str = "; Path="..conf["portal_path"]..
                        "; Expires="..expired_time..
-                       "; Secure"
+                       "; Secure"..
+                       "; HttpOnly"..
+                       "; SameSite=Strict"
     ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str
 end