From fc127704955cb665e8e9cb653850b481046e3053 Mon Sep 17 00:00:00 2001 From: Mark McDowall Date: Sun, 7 Mar 2021 15:10:56 -0800 Subject: [PATCH] Fixed: Set SameSite=Strict for SonarrAuth cookie (cherry picked from commit 675c72f02e7565a937b40c23ec27df6d86f95dc3) --- .../Authentication/EnableAuthInNancy.cs | 3 +- .../Authentication/RadarrNancyCookie.cs | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 src/Radarr.Http/Authentication/RadarrNancyCookie.cs diff --git a/src/Radarr.Http/Authentication/EnableAuthInNancy.cs b/src/Radarr.Http/Authentication/EnableAuthInNancy.cs index cff6ed3b9..296f30089 100644 --- a/src/Radarr.Http/Authentication/EnableAuthInNancy.cs +++ b/src/Radarr.Http/Authentication/EnableAuthInNancy.cs @@ -4,7 +4,6 @@ using Nancy; using Nancy.Authentication.Basic; using Nancy.Authentication.Forms; using Nancy.Bootstrapper; -using Nancy.Cookies; using Nancy.Cryptography; using NzbDrone.Common.Extensions; using NzbDrone.Core.Authentication; @@ -117,7 +116,7 @@ namespace Radarr.Http.Authentication if (FormsAuthentication.DecryptAndValidateAuthenticationCookie(formsAuthCookieValue, _formsAuthConfig).IsNotNullOrWhiteSpace()) { - var formsAuthCookie = new NancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7)) + var formsAuthCookie = new RadarrNancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7)) { Path = GetCookiePath() }; diff --git a/src/Radarr.Http/Authentication/RadarrNancyCookie.cs b/src/Radarr.Http/Authentication/RadarrNancyCookie.cs new file mode 100644 index 000000000..7da243faa --- /dev/null +++ b/src/Radarr.Http/Authentication/RadarrNancyCookie.cs @@ -0,0 +1,38 @@ +using System; +using Nancy.Cookies; + +namespace Radarr.Http.Authentication +{ + public class RadarrNancyCookie : NancyCookie + { + public RadarrNancyCookie(string name, string value) + : base(name, value) + { + } + + public RadarrNancyCookie(string name, string value, DateTime expires) + : base(name, value, expires) + { + } + + public RadarrNancyCookie(string name, string value, bool httpOnly) + : base(name, value, httpOnly) + { + } + + public RadarrNancyCookie(string name, string value, bool httpOnly, bool secure) + : base(name, value, httpOnly, secure) + { + } + + public RadarrNancyCookie(string name, string value, bool httpOnly, bool secure, DateTime? expires) + : base(name, value, httpOnly, secure, expires) + { + } + + public override string ToString() + { + return base.ToString() + "; SameSite=Strict"; + } + } +}