From a0d1c42daca7af6cbf3a6c73a89793a06cdbd4c7 Mon Sep 17 00:00:00 2001
From: Ming Deng <mingflycash@gmail.com>
Date: Mon, 3 Aug 2020 21:03:08 +0800
Subject: [PATCH] XSRF add secure and http only flag

---
 context/context.go      | 2 +-
 context/context_test.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/context/context.go b/context/context.go
index de248ed2..7c161ac0 100644
--- a/context/context.go
+++ b/context/context.go
@@ -150,7 +150,7 @@ func (ctx *Context) XSRFToken(key string, expire int64) string {
 		token, ok := ctx.GetSecureCookie(key, "_xsrf")
 		if !ok {
 			token = string(utils.RandomCreateBytes(32))
-			ctx.SetSecureCookie(key, "_xsrf", token, expire)
+			ctx.SetSecureCookie(key, "_xsrf", token, expire, "", "", true, true)
 		}
 		ctx._xsrfToken = token
 	}
diff --git a/context/context_test.go b/context/context_test.go
index 7c0535e0..e81e8191 100644
--- a/context/context_test.go
+++ b/context/context_test.go
@@ -17,7 +17,10 @@ package context
 import (
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestXsrfReset_01(t *testing.T) {
@@ -44,4 +47,8 @@ func TestXsrfReset_01(t *testing.T) {
 	if token == c._xsrfToken {
 		t.FailNow()
 	}
+
+	ck := c.ResponseWriter.Header().Get("Set-Cookie")
+	assert.True(t, strings.Contains(ck, "Secure"))
+	assert.True(t, strings.Contains(ck, "HttpOnly"))
 }