# HG changeset patch
# User jbe
# Date 1575903281 -3600
# Node ID a0f1a4e76556fd46982d6e29d0d7fcfd1a45845e
# Parent  59d2aaa6df07829795f7bb2de2fd7acdfbe9d534
Support SameSite cookies

diff -r 59d2aaa6df07 -r a0f1a4e76556 framework/env/request/set_cookie.lua
--- a/framework/env/request/set_cookie.lua	Wed Oct 23 19:32:40 2019 +0200
+++ b/framework/env/request/set_cookie.lua	Mon Dec 09 15:54:41 2019 +0100
@@ -1,10 +1,11 @@
 --[[--
 request.set_cookie{
-  name   = name,     -- name of cookie
-  value  = value,    -- value of cookie
-  domain = domain,   -- optional domain domain where cookie is transmitted
-  path   = path,     -- optional path where cookie is transmitted, defaults to application base
-  secure = secure    -- optional boolean, indicating if cookie should only be transmitted over HTTPS
+  name     = name,     -- name of cookie
+  value    = value,    -- value of cookie
+  domain   = domain,   -- optional domain domain where cookie is transmitted
+  path     = path,     -- optional path where cookie is transmitted, defaults to application base
+  secure   = secure,   -- optional boolean, indicating if cookie should only be transmitted over HTTPS
+  samesite = samesite  -- SameSite policy set to "strict", "lax", or "none" (all lower-case, defaults to "lax")
 }
 
 This function is similar to rocketwiki.set_cookie{...}, except that it automatically sets the path to the application base. It also sets secure=true, if the secure option is unset and the application base URL starts with "https://".
@@ -52,5 +53,14 @@
   if args.secure then
     parts[#parts+1] = "secure"
   end
+  if args.samesite == "strict" then
+    parts[#parts+1] = "SameSite=Strict"
+  elseif args.samesite == "lax" or args.samesite == nil then
+    parts[#parts+1] = "SameSite=Lax"
+  elseif args.samesite == "none" then
+    parts[#parts+1] = "SameSite=None"
+  else
+    error("Cookie SameSite policy set to unsupported value")
+  end
   request.add_header("Set-Cookie", table.concat(parts, "; "))
 end