From 898cfe8212a5940dba6552196ddd243f912b5942 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 11 Feb 2020 10:18:33 +0100
Subject: [PATCH 5/7] daemon: fix cookie options

---
 pcs/daemon/app/session.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/pcs/daemon/app/session.py b/pcs/daemon/app/session.py
index b4d29add..dcbb4c23 100644
--- a/pcs/daemon/app/session.py
+++ b/pcs/daemon/app/session.py
@@ -4,10 +4,16 @@ from pcs.daemon.auth import check_user_groups, authorize_user
 PCSD_SESSION = "pcsd.sid"
 
 class Mixin:
-    __session = None
     """
     Mixin for tornado.web.RequestHandler
     """
+
+    __session = None
+    __cookie_options = {
+        "secure": True,
+        "httponly": True,
+    }
+
     def initialize(self, session_storage: Storage):
         self.__storage = session_storage
 
@@ -63,7 +69,7 @@ class Mixin:
         """
         Write the session id into a response cookie.
         """
-        self.set_cookie(PCSD_SESSION, self.session.sid)
+        self.set_cookie(PCSD_SESSION, self.session.sid, **self.__cookie_options)
 
     def put_request_cookies_sid_to_response_cookies_sid(self):
         """
@@ -73,7 +79,9 @@ class Mixin:
         #TODO this method should exist temporarily (for sinatra compatibility)
         #pylint: disable=invalid-name
         if self.__sid_from_client is not None:
-            self.set_cookie(PCSD_SESSION, self.__sid_from_client)
+            self.set_cookie(
+                PCSD_SESSION, self.__sid_from_client, **self.__cookie_options
+            )
 
     def was_sid_in_request_cookies(self):
         return self.__sid_from_client is not None
-- 
2.21.1