From 885c97da535c0c77d79e53391de5c37f2704e01a Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 29 Jan 2020 09:07:51 +0100
Subject: [PATCH] luci-base: add another magic security attribute to the
 sysauth cookie

Fixes: #3585
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/luasrc/dispatcher.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 48e125e4a..32d34da01 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -806,7 +806,7 @@ function dispatch(request)
 				return tpl.render("sysauth", { duser = "root", fuser = user })
 			end
 
-			http.header("Set-Cookie", 'sysauth=%s; path=%s; HttpOnly%s' %{
+			http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
 				sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
 			})
 
-- 
2.25.1