github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-08-21 05:43:32 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add SameSite attribute to WebUI session cookie

Browse source 
This attribute prevents the cookie from being submitted on any cross-site request, strongly limiting CSRF.

Closes #9877.
This commit is contained in:
Thomas Piccirello 2018-11-20 02:56:30 -05:00 committed by sledgehammer999
commit 9cc112aa4e
No known key found for this signature in database
GPG key ID: 6E4A2D025B7CC9A2
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/webui/webapplication.cpp
View file

@ -657,7 +657,10 @@ void WebApplication::sessionStart()
QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
cookie.setHttpOnly(true);
cookie.setPath(QLatin1String("/"));
header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
QByteArray cookieRawForm = cookie.toRawForm();
if (m_isCSRFProtectionEnabled)
cookieRawForm.append("; SameSite=Strict");
header(Http::HEADER_SET_COOKIE, cookieRawForm);
}
void WebApplication::sessionEnd()