modified to add a max-age value and a same-site value to cookie.

defaults/application.ini

@@ -120,6 +120,10 @@ Session.CookieDomain=
 # Specifies a path attribute to set in the session cookie. Defaults to /.
 Session.CookiePath=/
 
+# Specifies a value to assert that a cookie must not be sent with cross-origin
+# requests; Strict, Lax or None.
+Session.CookieSameSite=Lax
+
 # Probability that the garbage collection starts.
 # If 100 specified, the GC of sessions starts at the rate of once per 100
 # accesses. If 0 specified, the GC never starts.

include/TCookie

@@ -1 +1 @@
-#include "tcookiejar.h"
+#include "tcookie.h"

include/tcookie.h

@@ -1 +1 @@
-#include "../src/tcookiejar.h"
+#include "../src/tcookie.h"

src/corelib.pro

@@ -155,6 +155,8 @@ HEADERS += toption.h
 SOURCES += toption.cpp
 HEADERS += ttemporaryfile.h
 SOURCES += ttemporaryfile.cpp
+HEADERS += tcookie.h
+SOURCES += tcookie.cpp
 HEADERS += tcookiejar.h
 SOURCES += tcookiejar.cpp
 HEADERS += tsession.h
@@ -327,7 +329,6 @@ HEADERS += \
            tfnamespace.h \
            tfcore.h \
            tfexception.h \
-           tcookie.h \
            tdispatcher.h \
            tloggerplugin.h \
            tsessionobject.h \

src/tactioncontext.cpp

@@ -60,6 +60,7 @@ void TActionContext::execute(THttpRequest &request, int sid)
     static const bool SessionAutoIdRegeneration = Tf::appSettings()->value(Tf::SessionAutoIdRegeneration).toBool();
     static const QString SessionCookiePath = Tf::appSettings()->value(Tf::SessionCookiePath).toString().trimmed();
     static const QString SessionCookieDomain = Tf::appSettings()->value(Tf::SessionCookieDomain).toString().trimmed();
+    static const QByteArray SessionCookieSameSite = Tf::appSettings()->value(Tf::SessionCookieSameSite).toByteArray().trimmed();
 
     THttpResponseHeader responseHeader;
 
@@ -193,12 +194,8 @@ void TActionContext::execute(THttpRequest &request, int sid)
                                 }
                             }());
 
-                            QDateTime expire;
-                            if (SessionCookieMaxAge > 0) {
-                                expire = QDateTime::currentDateTime().addSecs(SessionCookieMaxAge);
-                            }
-
-                            currController->addCookie(TSession::sessionName(), currController->session().id(), expire, SessionCookiePath, SessionCookieDomain, false, true);
+                            currController->addCookie(TSession::sessionName(), currController->session().id(), SessionCookieMaxAge,
+                                                      SessionCookiePath, SessionCookieDomain, false, true, SessionCookieSameSite);
 
                             // Commits a transaction for session
                             commitTransactions();

src/tactioncontroller.cpp

@@ -133,7 +133,7 @@ bool TActionController::addCookie(const TCookie &cookie)
     cookieJar.addCookie(cookie);
     response.header().removeAllRawHeaders("Set-Cookie");
     for (auto &ck : (const QList<TCookie>&)cookieJar.allCookies()) {
-        response.header().addRawHeader("Set-Cookie", ck.toRawForm());
+        response.header().addRawHeader("Set-Cookie", ck.toRawForm(QNetworkCookie::Full));
     }
     return true;
 }
@@ -142,14 +142,31 @@ bool TActionController::addCookie(const TCookie &cookie)
   Adds the cookie to the internal list of cookies.
  */
 bool TActionController::addCookie(const QByteArray &name, const QByteArray &value, const QDateTime &expire,
-                                  const QString &path, const QString &domain, bool secure, bool httpOnly)
+                                  const QString &path, const QString &domain, bool secure, bool httpOnly,
+                                  const QByteArray &sameSite)
 {
     TCookie cookie(name, value);
     cookie.setExpirationDate(expire);
     cookie.setPath(path);
     cookie.setDomain(domain);
     cookie.setSecure(secure);
     cookie.setHttpOnly(httpOnly);
+    cookie.setSameSite(sameSite);
+    return addCookie(cookie);
+}
+
+
+bool TActionController::addCookie(const QByteArray &name, const QByteArray &value, qint64 maxAge, const QString &path,
+                                  const QString &domain, bool secure, bool httpOnly, const QByteArray &sameSite)
+{
+    TCookie cookie(name, value);
+    cookie.setMaxAge(maxAge);
+    cookie.setExpirationDate(QDateTime::currentDateTime().addSecs(maxAge));  // For IE11
+    cookie.setPath(path);
+    cookie.setDomain(domain);
+    cookie.setSecure(secure);
+    cookie.setHttpOnly(httpOnly);
+    cookie.setSameSite(sameSite);
     return addCookie(cookie);
 }
 

src/tactioncontroller.h

@@ -63,7 +63,8 @@ class T_CORE_EXPORT TActionController : public QObject, public TAbstractControll
     TSession &session() { return sessionStore; }
     void setSession(const TSession &session);
     bool addCookie(const TCookie &cookie);
-    bool addCookie(const QByteArray &name, const QByteArray &value, const QDateTime &expire = QDateTime(), const QString &path = QString(), const QString &domain = QString(), bool secure = false, bool httpOnly = false);
+    bool addCookie(const QByteArray &name, const QByteArray &value, const QDateTime &expire = QDateTime(), const QString &path = QString(), const QString &domain = QString(), bool secure = false, bool httpOnly = false, const QByteArray &sameSite = "Lax");
+    bool addCookie(const QByteArray &name, const QByteArray &value, qint64 maxAge, const QString &path = QString(), const QString &domain = QString(), bool secure = false, bool httpOnly = false, const QByteArray &sameSite = "Lax");
     QByteArray contentType() const;
     void setContentType(const QByteArray &type);
     bool render(const QString &action = QString(), const QString &layout = QString());

src/tappsettings.cpp

@@ -50,6 +50,7 @@ class AttributeMap : public QMap<int, QString>
         insert(Tf::SessionCookieMaxAge, "Session.CookieMaxAge");
         insert(Tf::SessionCookieDomain, "Session.CookieDomain");
         insert(Tf::SessionCookiePath, "Session.CookiePath");
+        insert(Tf::SessionCookieSameSite, "Session.CookieSameSite");
         insert(Tf::SessionGcProbability, "Session.GcProbability");
         insert(Tf::SessionGcMaxLifeTime, "Session.GcMaxLifeTime");
         insert(Tf::SessionSecret, "Session.Secret");

src/tcookie.h

@@ -1 +1,34 @@
-#include "tcookiejar.h"
+#ifndef TCOOKIE_H
+#define TCOOKIE_H
+
+#include <TGlobal>
+#include <QNetworkCookie>
+
+
+class TCookie : public QNetworkCookie
+{
+public:
+    TCookie(const QByteArray &name = QByteArray(), const QByteArray &value = QByteArray());
+    TCookie(const TCookie &other);
+    TCookie(const QNetworkCookie &other);
+    ~TCookie() {}
+
+    TCookie &operator=(const TCookie &other);
+    qint64 maxAge() const { return _maxAge; }
+    void setMaxAge(qint64 maxAge) { _maxAge = maxAge; }
+    QByteArray sameSite() const { return _sameSite; }
+    bool setSameSite(const QByteArray &sameSite);
+
+    void swap(TCookie &other);
+    QByteArray toRawForm(QNetworkCookie::RawForm form = QNetworkCookie::Full) const;
+    bool operator!=(const TCookie &other) const;
+    bool operator==(const TCookie &other) const;
+
+    static QList<TCookie> parseCookies(const QByteArray &cookieString);
+
+private:
+    qint64 _maxAge {INT64_MIN};
+    QByteArray _sameSite;
+};
+
+#endif // TCOOKIE_H

src/tcookiejar.h

@@ -3,11 +3,9 @@
 
 #include <QList>
 #include <QString>
-#include <QNetworkCookie>
+#include <TCookie>
 #include <TGlobal>
 
-using TCookie = QNetworkCookie;
-
 #ifdef Q_CC_MSVC
 extern uint qHash(const TCookie &key);
 #endif

src/tfnamespace.h

@@ -200,6 +200,8 @@ namespace Tf
         CacheBackend,
         CacheGcProbability,
         CacheEnableCompression,
+        //
+        SessionCookieSameSite,
     };
 
     // Reason codes why a web socket has been closed