From 383d791a50919bb9890a3f3f797ecc95125ab8bf Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 8 Jun 2020 15:11:17 +0200
Subject: [PATCH] Ensure session cookies are secure

While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 app.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 930191ce4..36cfe64a3 100644
--- a/app.js
+++ b/app.js
@@ -139,7 +139,9 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: true,
+    secure: config.useSSL || config.protocolUseSSL || false
   },
   store: sessionStore
 }))