From 13ab9786f7381aeea2dab7631480211610a7353b Mon Sep 17 00:00:00 2001
From: Cory McWilliams <cory@unprompted.com>
Date: Sat, 25 Nov 2023 13:25:41 +0000
Subject: [PATCH] TIL HttpOnly https://owasp.org/www-community/HttpOnly.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4642 ed5197a5-7fde-0310-b194-c3ffbd925b24
---
 core/auth.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/auth.js b/core/auth.js
index ab3df6ed..5aa61d3d 100644
--- a/core/auth.js
+++ b/core/auth.js
@@ -196,7 +196,7 @@ function handler(request, response) {
 			}
 		}
 
-		let cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict`;
+		let cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; HttpOnly`;
 		let entry = readSession(session);
 		if (entry && formData.return) {
 			response.writeHead(303, {"Location": formData.return, "Set-Cookie": cookie});
@@ -220,7 +220,7 @@ function handler(request, response) {
 			});
 		}
 	} else if (request.uri == "/login/logout") {
-		response.writeHead(303, {"Set-Cookie": `session=; path=/; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT`, "Location": "/login" + (request.query ? "?" + request.query : "")});
+		response.writeHead(303, {"Set-Cookie": `session=; path=/; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly`, "Location": "/login" + (request.query ? "?" + request.query : "")});
 		response.end();
 	} else {
 		response.writeHead(200, {"Content-Type": "text/plain; charset=utf-8", "Connection": "close"});