fix(http): Add same site strict flag to session cookie

influxdata · Nov 12, 2020 · 20818a9 · 20818a9
1 parent fab99c9
commit 20818a9
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/http/session_handler.go b/http/session_handler.go
@@ -176,9 +176,10 @@ func decodeCookieSession(ctx context.Context, r *http.Request) (string, error) {
 // SetCookieSession adds a cookie for the session to an http request
 func SetCookieSession(key string, r *http.Request) {
 	c := &http.Cookie{
-		Name:   cookieSessionName,
-		Value:  key,
-		Secure: true,
+		Name:     cookieSessionName,
+		Value:    key,
+		Secure:   true,
+		SameSite: 3, // SameSiteStrictMode
 	}
 
 	r.AddCookie(c)