From 3ec450805bfbe5e810a93096b11246afbcd7ff2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ken-H=C3=A5vard=20Lieng?= <kk_998@hotmail.com>
Date: Sat, 6 Oct 2018 08:56:29 +0200
Subject: [PATCH] Set SameSite Strict on session cookies

---
 pkg/session/session.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/session/session.go b/pkg/session/session.go
index 12ffb8a6..c25f6c64 100644
--- a/pkg/session/session.go
+++ b/pkg/session/session.go
@@ -48,14 +48,18 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
 	created := time.Unix(s.createdAt, 0)
 	s.lock.Unlock()
 
-	http.SetCookie(w, &http.Cookie{
+	cookie := &http.Cookie{
 		Name:     CookieName,
 		Value:    s.Key(),
 		Path:     "/",
 		Expires:  created.Add(Expiration),
 		HttpOnly: true,
 		Secure:   r.TLS != nil,
-	})
+	}
+
+	if v := cookie.String(); v != "" {
+		w.Header().Add("Set-Cookie", v+"; SameSite=Strict")
+	}
 }
 
 func (s *Session) Expired() bool {