From 89c789e139b01dbec5140242a04f0c9b3ad4422d Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Wed, 27 May 2026 21:05:47 +0530
Subject: [PATCH] fix(session): add httpOnly, Secure, and SameSite=strict
 cookie flags

Fixes #554

The session cookie was issued with browser defaults because no cookie
options were set. This exposed three attack vectors:

- No httpOnly: any JavaScript on the page could read the session cookie
  via document.cookie and exfiltrate it to an attacker server.
- No Secure: the cookie was sent over plain HTTP, allowing passive
  observers on the same network to capture it.
- No SameSite: every cross-origin request the browser made to this
  origin included the cookie, enabling CSRF attacks.

Added httpOnly:true, sameSite:'strict', and secure conditioned on
NODE_ENV=production so local HTTP development still works. Also set
maxAge to 24 hours as an explicit session TTL.
---
 backend/server.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/server.js b/backend/server.js
index 48d6ccfb..ae161265 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -28,10 +28,18 @@ app.use(cors({
 
 // Middleware
 app.use(bodyParser.json());
+const isProduction = process.env.NODE_ENV === 'production';
+
 app.use(session({
     secret: process.env.SESSION_SECRET,
     resave: false,
     saveUninitialized: false,
+    cookie: {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'strict',
+        maxAge: 24 * 60 * 60 * 1000,
+    },
 }));
 app.use(passport.initialize());
 app.use(passport.session());