From 917b57e6ac819d517293a5706aad6e301774b6ea Mon Sep 17 00:00:00 2001
From: Phillip Wirth <phillip.wirth@dataport.de>
Date: Wed, 12 Feb 2025 18:59:22 +0100
Subject: [PATCH 1/3] BC-8974 make session cookie httponly and set samesite

---
 app.js                     | 4 +++-
 config/default.schema.json | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index bb60c1e2ab..c298100ad7 100644
--- a/app.js
+++ b/app.js
@@ -140,7 +140,9 @@ if (redisUrl) {
 const SIX_HOURS = 1000 * 60 * 60 * 6;
 app.use(session({
 	cookie: {
-		// TODO ...cookieDefaults,
+		httpOnly: true,
+		sameSite: Configuration.get('SESSION_COOKIE_SAME_SITE'),
+		secure: 'auto',
 		maxAge: SIX_HOURS,
 	},
 	rolling: true, // refresh session with every request within maxAge
diff --git a/config/default.schema.json b/config/default.schema.json
index 408c2811d4..49f3fd4629 100644
--- a/config/default.schema.json
+++ b/config/default.schema.json
@@ -279,6 +279,11 @@
 			"default": "",
 			"description": "A string with concatenated user types (student, employee) that don't need to explicitly state their consent with the terms and conditions. \"employee\" means teachers and admins"
 		},
+		"SESSION_COOKIE_SAME_SITE": {
+			"type": "string",
+			"default": "lax",
+			"description": "express-session cookie samesite attribute"
+		},
 		"COOKIE": {
 			"type": "object",
 			"description": "Cookie properties, required always to be defined",

From bc936436e8db53e4639e0f7fce1fd98cd190f4dc Mon Sep 17 00:00:00 2001
From: Phillip Wirth <phillip.wirth@dataport.de>
Date: Thu, 13 Feb 2025 13:19:20 +0100
Subject: [PATCH 2/3] fix some docker build warnings

---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b9fe6972a9..2c11ca68d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/node:22 as git
+FROM docker.io/node:22 AS git
 
 RUN mkdir /app && chown -R node:node /app
 WORKDIR /app
@@ -55,4 +55,4 @@ COPY --from=git /app/version /home/node/app/static/version
 # "build" .. this basically throws out non relevant files for the theme under build and does scss to css stuff
 RUN export NODE_OPTIONS=--openssl-legacy-provider && node node_modules/gulp/bin/gulp.js clear-cache && node node_modules/gulp/bin/gulp.js
 
-CMD npm start
+CMD ["npm", "start"]

From 2a308637c9c1694f7ec397cabd94e8f38397b06f Mon Sep 17 00:00:00 2001
From: Phillip Wirth <phillip.wirth@dataport.de>
Date: Tue, 18 Feb 2025 11:04:57 +0100
Subject: [PATCH 3/3] default to strict as there are no complaints so far

---
 config/default.schema.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/default.schema.json b/config/default.schema.json
index 49f3fd4629..30b319c3be 100644
--- a/config/default.schema.json
+++ b/config/default.schema.json
@@ -281,7 +281,7 @@
 		},
 		"SESSION_COOKIE_SAME_SITE": {
 			"type": "string",
-			"default": "lax",
+			"default": "strict",
 			"description": "express-session cookie samesite attribute"
 		},
 		"COOKIE": {