luci-base: harden cookie sysauth=

A simple scan of the code indicates that currently no code in the repo is accessing the sysauth= cookie Closes openwrt/luci#1555 Signed-off-by: Florian Eckert <fe@dev.tdt.de> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
author: Yousong Zhou <yszhou4tech@gmail.com> 2018-05-13 17:55:01 +0800
committer: Yousong Zhou <yszhou4tech@gmail.com> 2018-05-13 18:30:47 +0800
commit: 2f0f456b7160e05352d34db152f3f41a7500b294 (patch)
tree: 34515853f38a47e746b609225388ac2233166b68 /modules/luci-base
parent: 88a1f8f4074b416ff4c6d85e8a45c39aca704abd (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 1984fc4ad..38932afae 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -428,7 +428,9 @@ function dispatch(request)
 				return
 			end
 
-			http.header("Set-Cookie", 'sysauth=%s; path=%s' %{ sid, build_url() })
+			http.header("Set-Cookie", 'sysauth=%s; path=%s; HttpOnly%s' %{
+				sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
+			})
 			http.redirect(build_url(unpack(ctx.requestpath)))
 		end
author	Yousong Zhou <yszhou4tech@gmail.com>	2018-05-13 17:55:01 +0800
committer	Yousong Zhou <yszhou4tech@gmail.com>	2018-05-13 18:30:47 +0800
commit	2f0f456b7160e05352d34db152f3f41a7500b294 (patch)
tree	34515853f38a47e746b609225388ac2233166b68 /modules/luci-base
parent	88a1f8f4074b416ff4c6d85e8a45c39aca704abd (diff)