Francois Gouget : testbot/cgi: Use SameSite=Lax on our session cookies.

Alexandre Julliard julliard at winehq.org
Wed Mar 30 15:17:55 CDT 2022 

Module: tools
Branch: master
Commit: ed449d824215cde3122cc8838f49952f3fe745a6
URL:    https://source.winehq.org/git/tools.git/?a=commit;h=ed449d824215cde3122cc8838f49952f3fe745a6

Author: Francois Gouget <fgouget at codeweavers.com>
Date:   Wed Mar 30 19:03:44 2022 +0200

testbot/cgi: Use SameSite=Lax on our session cookies.

So far we were not specifying SameSite which means it defaulted to None
in older browsers which potentially allowed some cross-site attacks.
Newer browser would now default to Lax so explicitly use that.

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 testbot/lib/WineTestBot/CGI/PageBase.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index 19a5aec..759cfd0 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -137,6 +137,7 @@ sub UnsetCookies($)
                                   -Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
                                   -Domain  => $ENV{"HTTP_HOST"},
                                   -Path    => "/",
+                                  -SameSite => "Lax",
                                   -Secure  => $UseSSL);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
   }
@@ -147,6 +148,7 @@ sub UnsetCookies($)
                                   -Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
                                   -Domain  => $ENV{"HTTP_HOST"},
                                   -Path    => "/",
+                                  -SameSite => "Lax",
                                   -Secure  => !1);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
   }
@@ -178,6 +180,7 @@ sub SetCookies($)
       $Cookie = CGI::Cookie->new(-Name    => "SessionId",
                                  -Value   => $Session->Id,
                                  -Expires => $Expire,
+                                 -SameSite => "Lax",
                                  -Secure  => $UseSSL,
                                  -HttpOnly => 1);
       $Request->err_headers_out->add("Set-Cookie", $Cookie);
@@ -199,6 +202,7 @@ sub SetCookies($)
     $Cookie = CGI::Cookie->new(-Name    => "SessionActive",
                                -Value   => $SessionPermanent,
                                -Expires => $Expire,
+                               -SameSite => "Lax",
                                -Secure  => !1,
                                -HttpOnly => 1);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);

More information about the wine-cvs mailing list