From d696a37f482e3eb11086a3d0bb135496df46718f Mon Sep 17 00:00:00 2001
From: dada0z <zhang.guangda@qq.com>
Date: Sat, 18 Jun 2022 19:50:00 +0800
Subject: [PATCH] bugfix: Csrf token should be Secure and httpOnly, but not now

---
 server/web/context/context.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/web/context/context.go b/server/web/context/context.go
index e165527b..c85dc45b 100644
--- a/server/web/context/context.go
+++ b/server/web/context/context.go
@@ -270,7 +270,7 @@ func (ctx *Context) XSRFToken(key string, expire int64) string {
 		if !ok {
 			token = string(utils.RandomCreateBytes(32))
 			// TODO make it configurable
-			ctx.SetSecureCookie(key, "_xsrf", token, expire, "/", "")
+			ctx.SetSecureCookie(key, "_xsrf", token, expire, "/", "", true, true)
 		}
 		ctx._xsrfToken = token
 	}