diff --git a/core/auth.js b/core/auth.js index ab3df6ed..5aa61d3d 100644 --- a/core/auth.js +++ b/core/auth.js @@ -196,7 +196,7 @@ function handler(request, response) { } } - let cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict`; + let cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; HttpOnly`; let entry = readSession(session); if (entry && formData.return) { response.writeHead(303, {"Location": formData.return, "Set-Cookie": cookie}); @@ -220,7 +220,7 @@ function handler(request, response) { }); } } else if (request.uri == "/login/logout") { - response.writeHead(303, {"Set-Cookie": `session=; path=/; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT`, "Location": "/login" + (request.query ? "?" + request.query : "")}); + response.writeHead(303, {"Set-Cookie": `session=; path=/; ${request.client.tls ? 'Secure; ' : ''}SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly`, "Location": "/login" + (request.query ? "?" + request.query : "")}); response.end(); } else { response.writeHead(200, {"Content-Type": "text/plain; charset=utf-8", "Connection": "close"});