From e9bd75f4e10ca37971ef26d79296903c963195fd Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Tue, 21 Mar 2017 15:24:41 +0800
Subject: [PATCH 1/5] Set HttpOnly attribute to SID cookie

---
 src/webui/abstractwebapplication.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index c15599466..cb496005d 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -354,6 +354,7 @@ bool AbstractWebApplication::sessionStart()
         sessions_[session_->id] = session_;
 
         QNetworkCookie cookie(C_SID, session_->id.toUtf8());
+        cookie.setHttpOnly(true);
         cookie.setPath(QLatin1String("/"));
         header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
 

From e4d6fe2d022f00dcd10386016c219b2323ff5514 Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Tue, 21 Mar 2017 15:57:55 +0800
Subject: [PATCH 2/5] Refactor: reorder headers

---
 src/webui/abstractwebapplication.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/webui/abstractwebapplication.h b/src/webui/abstractwebapplication.h
index ab8ad378f..e0e1ed279 100644
--- a/src/webui/abstractwebapplication.h
+++ b/src/webui/abstractwebapplication.h
@@ -29,12 +29,13 @@
 #ifndef ABSTRACTWEBAPPLICATION_H
 #define ABSTRACTWEBAPPLICATION_H
 
-#include <QObject>
-#include <QMap>
 #include <QHash>
-#include "base/http/types.h"
-#include "base/http/responsebuilder.h"
+#include <QMap>
+#include <QObject>
+
 #include "base/http/irequesthandler.h"
+#include "base/http/responsebuilder.h"
+#include "base/http/types.h"
 
 struct WebSession;
 struct WebSessionData;

From e26b30a5f40c8da8fe1e2d17dc66be0836be916a Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Tue, 21 Mar 2017 16:16:01 +0800
Subject: [PATCH 3/5] Refactor: initialize class variable directly

---
 src/webui/abstractwebapplication.cpp | 23 ++++++++---------------
 src/webui/abstractwebapplication.h   |  1 -
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index cb496005d..0e318da5c 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -396,18 +396,11 @@ QString AbstractWebApplication::saveTmpFile(const QByteArray &data)
     return QString();
 }
 
-QStringMap AbstractWebApplication::initializeContentTypeByExtMap()
-{
-    QStringMap map;
-
-    map["htm"] = Http::CONTENT_TYPE_HTML;
-    map["html"] = Http::CONTENT_TYPE_HTML;
-    map["css"] = Http::CONTENT_TYPE_CSS;
-    map["gif"] = Http::CONTENT_TYPE_GIF;
-    map["png"] = Http::CONTENT_TYPE_PNG;
-    map["js"] = Http::CONTENT_TYPE_JS;
-
-    return map;
-}
-
-const QStringMap AbstractWebApplication::CONTENT_TYPE_BY_EXT = AbstractWebApplication::initializeContentTypeByExtMap();
+const QStringMap AbstractWebApplication::CONTENT_TYPE_BY_EXT = {
+    { "htm", Http::CONTENT_TYPE_HTML },
+    { "html", Http::CONTENT_TYPE_HTML },
+    { "css", Http::CONTENT_TYPE_CSS },
+    { "gif", Http::CONTENT_TYPE_GIF },
+    { "png", Http::CONTENT_TYPE_PNG },
+    { "js", Http::CONTENT_TYPE_JS }
+};
diff --git a/src/webui/abstractwebapplication.h b/src/webui/abstractwebapplication.h
index e0e1ed279..8d1227fc9 100644
--- a/src/webui/abstractwebapplication.h
+++ b/src/webui/abstractwebapplication.h
@@ -103,7 +103,6 @@ private:
     static void translateDocument(QString &data);
 
     static const QStringMap CONTENT_TYPE_BY_EXT;
-    static QStringMap initializeContentTypeByExtMap();
 };
 
 #endif // ABSTRACTWEBAPPLICATION_H

From 4e48408eaa8a6bb702a6f77aec2b349664eb18fd Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Tue, 21 Mar 2017 16:30:28 +0800
Subject: [PATCH 4/5] Fire up the timer to clean inactive sessions

---
 src/webui/abstractwebapplication.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index 0e318da5c..436a5325b 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -87,8 +87,8 @@ AbstractWebApplication::AbstractWebApplication(QObject *parent)
     , session_(0)
 {
     QTimer *timer = new QTimer(this);
-    timer->setInterval(60000); // 1 min.
     connect(timer, SIGNAL(timeout()), SLOT(removeInactiveSessions()));
+    timer->start(60 * 1000);  // 1 min.
 }
 
 AbstractWebApplication::~AbstractWebApplication()

From 272d53fdf888f536c0d7915b0b5f7c79ed0a930c Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Wed, 22 Mar 2017 16:54:07 +0800
Subject: [PATCH 5/5] Set cookie SID value to empty on logout

Set cookie SID expiration date to 1 day in the past on logout
---
 src/webui/abstractwebapplication.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/webui/abstractwebapplication.cpp b/src/webui/abstractwebapplication.cpp
index 436a5325b..f29d891ee 100644
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@@ -367,9 +367,9 @@ bool AbstractWebApplication::sessionStart()
 bool AbstractWebApplication::sessionEnd()
 {
     if ((session_ != 0) && (sessions_.contains(session_->id))) {
-        QNetworkCookie cookie(C_SID, session_->id.toUtf8());
+        QNetworkCookie cookie(C_SID);
         cookie.setPath(QLatin1String("/"));
-        cookie.setExpirationDate(QDateTime::currentDateTime());
+        cookie.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
 
         sessions_.remove(session_->id);
         delete session_;