[pve-devel] [PATCH apiclient 4/4] lwp: set SameSite attr of auth cookie to 'strict'
Max Carrara
m.carrara at proxmox.com
Wed Mar 15 17:26:30 CET 2023
This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.
Signed-off-by: Max Carrara <m.carrara at proxmox.com>
---
PVE/APIClient/LWP.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
index ed7e4fe..722b35a 100755
--- a/PVE/APIClient/LWP.pm
+++ b/PVE/APIClient/LWP.pm
@@ -89,7 +89,7 @@ sub update_ticket {
$self->{ticket} = $ticket;
my $encticket = uri_escape($ticket);
- my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
+ my $cookie = "$self->{cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
$agent->default_header('Cookie', $cookie);
}
--
2.39.2
More information about the pve-devel
mailing list