Fixed: Set SameSite=Strict for SonarrAuth cookie

Closes #4365
4 years ago · 675c72f02e
parent 6619350f87
commit 675c72f02e
2 changed files with 34 additions and 2 deletions
--- a/src/Sonarr.Http/Authentication/EnableAuthInNancy.cs
+++ b/src/Sonarr.Http/Authentication/EnableAuthInNancy.cs
@ -4,7 +4,6 @@ using Nancy;
 using Nancy.Authentication.Basic;
 using Nancy.Authentication.Forms;
 using Nancy.Bootstrapper;
-using Nancy.Cookies;
 using Nancy.Cryptography;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Core.Authentication;
@ -120,7 +119,7 @@ namespace Sonarr.Http.Authentication

                if (FormsAuthentication.DecryptAndValidateAuthenticationCookie(formsAuthCookieValue, FormsAuthConfig).IsNotNullOrWhiteSpace())
                {
-                    var formsAuthCookie = new NancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7))
+                    var formsAuthCookie = new SonarrNancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7))
                    {
                        Path = GetCookiePath()
                    };
--- a/src/Sonarr.Http/Authentication/SonarrNancyCookie.cs
+++ b/src/Sonarr.Http/Authentication/SonarrNancyCookie.cs
@ -0,0 +1,33 @@
+using System;
+using Nancy.Cookies;
+
+namespace Sonarr.Http.Authentication
+{
+    public class SonarrNancyCookie : NancyCookie
+    {
+        public SonarrNancyCookie(string name, string value) : base(name, value)
+        {
+        }
+
+        public SonarrNancyCookie(string name, string value, DateTime expires) : base(name, value, expires)
+        {
+        }
+
+        public SonarrNancyCookie(string name, string value, bool httpOnly) : base(name, value, httpOnly)
+        {
+        }
+
+        public SonarrNancyCookie(string name, string value, bool httpOnly, bool secure) : base(name, value, httpOnly, secure)
+        {
+        }
+
+        public SonarrNancyCookie(string name, string value, bool httpOnly, bool secure, DateTime? expires) : base(name, value, httpOnly, secure, expires)
+        {
+        }
+
+        public override string ToString()
+        {
+            return base.ToString() + "; SameSite=Strict";
+        }
+    }
+}