From dafe82af0a477a93708267b7ba6aa14957c1e738 Mon Sep 17 00:00:00 2001 From: Sindre Stephansen Date: Mon, 9 Mar 2020 16:11:00 +0100 Subject: [PATCH] Make remember cookie HttpOnly Fixes #24 --- src/app/views/login.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/app/views/login.py b/src/app/views/login.py index 53e2952..a7a1b70 100644 --- a/src/app/views/login.py +++ b/src/app/views/login.py @@ -63,7 +63,8 @@ class Login(): session.userid = userid if remember: rememberme = self.rememberme(remember_timeout) - web.setcookie('remember', rememberme , remember_timeout, secure=True, samesite='Strict') + path = web.ctx.homepath + "/" + web.ctx.headers.append(('Set-Cookie', f'remember={rememberme}; Max-Age={remember_timeout}; Path={path}; Secure; HttpOnly; SameSite=Strict')) def check_rememberme(self): """