From 182914d270e217dd205ffc00fc1a0def1b3e8117 Mon Sep 17 00:00:00 2001
From: Karen Etheridge <ether@joyent.com>
Date: Thu, 16 Jan 2020 16:35:51 -0800
Subject: [PATCH] make session cookie even more secure

- assert that a cookie ought not to be sent along with cross-site requests
see https://tools.ietf.org/html/draft-west-first-party-cookies-07
- respect cookies with https requests only (although normally the proxy will block
http requests anyway)
---
 lib/Conch.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/Conch.pm b/lib/Conch.pm
index b1b48a0ee..a6f9f5ce9 100644
--- a/lib/Conch.pm
+++ b/lib/Conch.pm
@@ -37,6 +37,8 @@ sub startup {
 
     $self->sessions->cookie_name('conch');
     $self->sessions->default_expiration(86400);     # 1 day
+    $self->sessions->samesite('Strict');            # do not send with cross-site requests
+    $self->sessions->secure(1) if $ENV{MOJO_MODE} eq 'production';  # https only
 
     $self->plugin('Config');
     $self->secrets(delete $self->config->{secrets});