WebUI: Implement "Secure" flag for session cookie

Closes #11724. Option is enabled by default for users using qBittorrent's built-in HTTPS capabilities. This flag will never be set if qBittorrent is using plain HTTP. Users using HTTPS reverse proxies, like "qbt <-> (http) <-> proxy <-> (https) <-> user" should override the flag in the proxy in order to set it, if they wish to do so.
2025-12-18 06:28:03 -06:00 · 2019-12-23 17:58:08 +00:00
parent 18de63f743
commit 691d5e5d89
8 changed files with 37 additions and 0 deletions
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@@ -239,6 +239,7 @@ void AppController::preferencesAction()
    // Security
    data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
    data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
+    data["web_ui_secure_cookie_enabled"] = pref->isWebUiSecureCookieEnabled();
    data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
    // Update my dynamic domain name
    data["dyndns_enabled"] = pref->isDynDNSEnabled();
@@ -608,6 +609,8 @@ void AppController::setPreferencesAction()
        pref->setWebUiClickjackingProtectionEnabled(it.value().toBool());
    if (hasKey("web_ui_csrf_protection_enabled"))
        pref->setWebUiCSRFProtectionEnabled(it.value().toBool());
+    if (hasKey("web_ui_secure_cookie_enabled"))
+        pref->setWebUiSecureCookieEnabled(it.value().toBool());
    if (hasKey("web_ui_host_header_validation_enabled"))
        pref->setWebUIHostHeaderValidationEnabled(it.value().toBool());
    // Update my dynamic domain name