Added SameSite policy Lax and Secure to all cookies

Affects issues: - Close #1609
2024-12-28 12:07:35 +01:00 · 2020-10-25 21:38:17 +02:00 · 2020-10-25 21:38:17 +02:00 · 89abdae4c8
commit 89abdae4c8
parent e2043715d2
3 changed files with 4 additions and 4 deletions
--- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/RequestHandler.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/RequestHandler.java
@ -142,7 +142,7 @@ public class RequestHandler implements HttpHandler {
                String from = exchange.getRequestURI().toASCIIString();
                response = Response.builder()
                        .redirectTo(StringUtils.startsWithAny(from, "/auth/", "/login") ? "/login" : "/login?from=." + from)
-                        .setHeader("Set-Cookie", "auth=expired; Path=/; Max-Age=1")
+                        .setHeader("Set-Cookie", "auth=expired; Path=/; Max-Age=1; SameSite=Lax; Secure;")
                        .build();
            }
        }
--- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginResolver.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginResolver.java
@ -39,7 +39,7 @@ import java.util.concurrent.TimeUnit;
@Singleton
 public class LoginResolver implements NoAuthResolver {

-    private DBSystem dbSystem;
+    private final DBSystem dbSystem;

    @Inject
    public LoginResolver(
@ -61,7 +61,7 @@ public class LoginResolver implements NoAuthResolver {
    public Response getResponse(String cookie) {
        return Response.builder()
                .setStatus(200)
-                .setHeader("Set-Cookie", "auth=" + cookie + "; Path=/; Max-Age=" + TimeUnit.HOURS.toSeconds(2L))
+                .setHeader("Set-Cookie", "auth=" + cookie + "; Path=/; Max-Age=" + TimeUnit.HOURS.toSeconds(2L) + "; SameSite=Lax; Secure;")
                .setJSONContent(Collections.singletonMap("success", true))
                .build();
    }
--- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LogoutResolver.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LogoutResolver.java
@ -58,7 +58,7 @@ public class LogoutResolver implements NoAuthResolver {
    public Response getResponse(String cookie) {
        return Response.builder()
                .setStatus(200)
-                .setHeader("Set-Cookie", "auth=" + cookie + "; Max-Age=1")
+                .setHeader("Set-Cookie", "auth=" + cookie + "; Max-Age=1; SameSite=Lax; Secure;")
                .setMimeType(MimeType.HTML)
                .setContent(
                        "<p>Logging out..</p><script>const urlParams = new URLSearchParams(window.location.search);" +