From 32e7ac14d17f4c399e731c29d3619427dff1cce8 Mon Sep 17 00:00:00 2001
From: sentriz <senan@senan.xyz>
Date: Tue, 31 Mar 2020 16:33:01 +0100
Subject: [PATCH] add httponly, and samesite option to sessions

closes #52
---
 server/ctrladmin/ctrl.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/ctrladmin/ctrl.go b/server/ctrladmin/ctrl.go
index 7f131af..e42441c 100644
--- a/server/ctrladmin/ctrl.go
+++ b/server/ctrladmin/ctrl.go
@@ -98,11 +98,14 @@ func New(base *ctrlbase.Controller) *Controller {
 		})
 	tmplBase = extendFromPaths(tmplBase, prefixPartials)
 	tmplBase = extendFromPaths(tmplBase, prefixLayouts)
+	sessDB := gormstore.New(base.DB.DB, sessionKey)
+	sessDB.SessionOpts.HttpOnly = true
+	sessDB.SessionOpts.SameSite = http.SameSiteLaxMode
 	return &Controller{
 		Controller: base,
 		buffPool:   bpool.NewBufferPool(64),
 		templates:  pagesFromPaths(tmplBase, prefixPages),
-		sessDB:     gormstore.New(base.DB.DB, sessionKey),
+		sessDB:     sessDB,
 	}
 }