From 383d791a50919bb9890a3f3f797ecc95125ab8bf Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 8 Jun 2020 15:11:17 +0200
Subject: [PATCH 1/2] Ensure session cookies are secure

While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 app.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 930191ce4..36cfe64a3 100644
--- a/app.js
+++ b/app.js
@@ -139,7 +139,9 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: true,
+    secure: config.useSSL || config.protocolUseSSL || false
   },
   store: sessionStore
 }))

From cdd18aebfdfe50fa1b26b9fa7913de547ff8c78f Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 8 Jun 2020 16:07:30 +0200
Subject: [PATCH 2/2] Remove unused socket.io cookie

The socket.io cookie doesn't really have any purpose as it's no longer
user in modern socket.io versions. This patch disables it.

References:
https://github.com/socketio/socket.io/issues/2276
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 36cfe64a3..f6e9d5a38 100644
--- a/app.js
+++ b/app.js
@@ -57,7 +57,7 @@ app.use(morgan('combined', {
 }))
 
 // socket io
-var io = require('socket.io')(server)
+var io = require('socket.io')(server, {cookie: false})
 io.engine.ws = new (require('ws').Server)({
   noServer: true,
   perMessageDeflate: false