From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 15 Feb 2024 16:11:13 +0000 (+0000)
Subject: cookies: Set secure attribute for all cookies
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4873e33c6a69ccd55ea519141324537beb16f30;p=pbs.git

cookies: Set secure attribute for all cookies

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/__init__.py b/src/web/__init__.py
index f8cfef69..d46e2bce 100644
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -105,6 +105,9 @@ class Application(tornado.web.Application):
 				"make_url"           : self.make_url,
 			},
 			xsrf_cookies = True,
+			xsrf_cookie_kwargs = dict(
+				secure = True,
+			),
 		)
 		settings.update(kwargs)
 
diff --git a/src/web/auth.py b/src/web/auth.py
index 622147ab..33d22b2b 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -37,7 +37,7 @@ class LoginHandler(base.KerberosAuthMixin, base.BaseHandler):
 				self.current_address, user_agent=self.user_agent)
 
 		# Send the session cookie to the browser
-		self.set_cookie("session_id", session.session_id, expires=session.valid_until)
+		self.set_cookie("session_id", session.session_id, secure=True, expires=session.valid_until)
 
 		# If there is "next" given, we redirect the user accordingly
 		next = self.get_argument("next", None)