Merge branch 'security/cookie-hardening' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 22d20c497b813cdaedddb40a46df2f597311b235
parent: c3f562a611c71fb07d4afa6ad6054eda4583f36f
Author: lambda <pleromagit@rogerbraun.net>
Date:   Tue, 13 Nov 2018 13:23:04 +0000

Merge branch 'security/cookie-hardening' into 'develop'

Add __Host- prefix when secure flag is enabled

See merge request pleroma/pleroma!446
Diffstat:
M lib/pleroma/web/endpoint.ex 7 ++++++-

1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
@@ -46,13 +46,18 @@ defmodule Pleroma.Web.Endpoint do
   plug(Plug.MethodOverride)
   plug(Plug.Head)
 
+  cookie_name =
+    if Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+      do: "__Host-pleroma_key",
+      else: "pleroma_key"
+
   # The session will be stored in the cookie and signed,
   # this means its contents can be read but not tampered with.
   # Set :encryption_salt if you would also like to encrypt it.
   plug(
     Plug.Session,
     store: :cookie,
-    key: "_pleroma_key",
+    key: cookie_name,
     signing_salt: "CqaoopA2",
     http_only: true,
     secure: