luci-base: add another magic security attribute to the sysauth cookie

Fixes: #3585
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 885c97da535c0c77d79e53391de5c37f2704e01a)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index b43b94fdef9b6a56200ab36ffda919db89a39c0b..17228ac32fee8236c3f05db86d86541f4a8bebd3 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -514,7 +514,7 @@ function dispatch(request)
                                return
                        end
 
-                       http.header("Set-Cookie", 'sysauth=%s; path=%s; HttpOnly%s' %{
+                       http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
                                sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
                        })
                        http.redirect(build_url(unpack(ctx.requestpath)))