[fix] CVE CSRF with cookie setting

2024-09-03 20:06:27 +02:00 · 2018-08-25 02:29:26 +02:00 · 2018-08-25 02:29:26 +02:00 · 07c3db2c46
commit 07c3db2c46
parent 6e1e1e10ff
1 changed files with 9 additions and 3 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -146,7 +146,9 @@ function set_auth_cookie(user, domain)
    local cookie_str = "; Domain=."..domain..
                       "; Path=/"..
                       "; Expires="..os.date("%a, %d %b %Y %X UTC;", expire)..
-                       "; Secure"
+                       "; Secure"..
+                       "; HttpOnly"..
+                       "; SameSite=Strict"

    ngx.header["Set-Cookie"] = {
        "SSOwAuthUser="..user..cookie_str,
@ -165,7 +167,9 @@ function delete_cookie()
        local cookie_str = "; Domain=."..domain..
                           "; Path=/"..
                           "; Expires="..expired_time..
-                           "; Secure"
+                           "; Secure"..
+                           "; HttpOnly"..
+                           "; SameSite=Strict"
        ngx.header["Set-Cookie"] = {
            "SSOwAuthUser="..cookie_str,
            "SSOwAuthHash="..cookie_str,
@ -180,7 +184,9 @@ function delete_redirect_cookie()
    local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;"
    local cookie_str = "; Path="..conf["portal_path"]..
                       "; Expires="..expired_time..
-                       "; Secure"
+                       "; Secure"..
+                       "; HttpOnly"..
+                       "; SameSite=Strict"
    ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str
 end