lwp: set SameSite attr of auth cookie to 'strict'

This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara@proxmox.com>

diff --git a/src/PVE/APIClient/LWP.pm b/src/PVE/APIClient/LWP.pm
index ed7e4feecbc1133af06e9202e8dcb5cddd1d7a53..722b35ad9911881b803d46244962de14cf876158 100755 (executable)
--- a/src/PVE/APIClient/LWP.pm
+++ b/src/PVE/APIClient/LWP.pm
@@ -89,7 +89,7 @@ sub update_ticket {
     $self->{ticket} = $ticket;
 
     my $encticket = uri_escape($ticket);
-    my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
+    my $cookie = "$self->{cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
     $agent->default_header('Cookie', $cookie);
 }