From 66ebe368b266fddff3e6490a3e1cb825b871cb5f Mon Sep 17 00:00:00 2001
From: davidby-influx <72418212+davidby-influx@users.noreply.github.com>
Date: Wed, 20 Dec 2023 12:28:24 -0800
Subject: [PATCH] fix: enable Secure when using TLS and enable HttpOnly
 (#24524) (#24526)

Set the HttpOnly and, when TLS is enabled,
Secure flags on cookies

closes: https://github.com/influxdata/influxdb/issues/24522

(cherry picked from commit 8e8700f14f8b45601f59cb20908ee5baa8667328)

closes https://github.com/influxdata/influxdb/issues/24523
---
 session/http_server.go      | 6 ++++--
 session/http_server_test.go | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/session/http_server.go b/session/http_server.go
index 98a07ffe8ee..b78d5fea8f7 100644
--- a/session/http_server.go
+++ b/session/http_server.go
@@ -105,7 +105,7 @@ func (h *SessionHandler) handleSignin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	encodeCookieSession(w, s)
+	encodeCookieSession(w, s, (r != nil) && (r.TLS != nil))
 	w.WriteHeader(http.StatusNoContent)
 }
 
@@ -163,7 +163,7 @@ func decodeSignoutRequest(ctx context.Context, r *http.Request) (*signoutRequest
 
 const cookieSessionName = "influxdb-oss-session"
 
-func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) {
+func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled bool) {
 	// We only need the session cookie for accesses to "/api/...", so limit
 	// it to that using "Path".
 	//
@@ -208,6 +208,8 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session) {
 		Path:     "/api/", // since UI doesn't need it, limit cookie usage to API requests
 		Expires:  s.ExpiresAt,
 		SameSite: http.SameSiteStrictMode,
+		HttpOnly: true,
+		Secure:   tlsEnabled,
 	}
 
 	http.SetCookie(w, c)
diff --git a/session/http_server_test.go b/session/http_server_test.go
index b22e4c357e4..41d650dcad4 100644
--- a/session/http_server_test.go
+++ b/session/http_server_test.go
@@ -58,7 +58,7 @@ func TestSessionHandler_handleSignin(t *testing.T) {
 				password: "supersecret",
 			},
 			wants: wants{
-				cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; SameSite=Strict",
+				cookie: "influxdb-oss-session=abc123xyz; Path=/api/; Expires=Thu, 26 Sep 2030 00:00:00 GMT; HttpOnly; SameSite=Strict",
 				code:   http.StatusNoContent,
 			},
 		},