summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2020-01-29 09:07:51 +0100
committerJo-Philipp Wich <jo@mein.io>2020-01-29 09:07:51 +0100
commit885c97da535c0c77d79e53391de5c37f2704e01a (patch)
treeb042f34b2639f36e8337f82212f9bc6d49ca4d20
parentb8f65c340c42acda920298af4318784a79a0965c (diff)
luci-base: add another magic security attribute to the sysauth cookie
Fixes: #3585 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua2
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 48e125e4ae..32d34da012 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -806,7 +806,7 @@ function dispatch(request)
return tpl.render("sysauth", { duser = "root", fuser = user })
end
- http.header("Set-Cookie", 'sysauth=%s; path=%s; HttpOnly%s' %{
+ http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
})