From c9f1966e29a4fbc2904149a205b613010ad4646b Mon Sep 17 00:00:00 2001
From: jannfis <jann@mistrust.net>
Date: Tue, 15 Oct 2019 17:51:47 +0200
Subject: [PATCH] Set cookie policy to SameSite=lax and httpOnly

---
 server/server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/server.go b/server/server.go
index 9e9187fda34df..c2f321c397675 100644
--- a/server/server.go
+++ b/server/server.go
@@ -478,7 +478,7 @@ func (a *ArgoCDServer) newGRPCServer() *grpc.Server {
 // TranslateGrpcCookieHeader conditionally sets a cookie on the response.
 func (a *ArgoCDServer) translateGrpcCookieHeader(ctx context.Context, w http.ResponseWriter, resp golang_proto.Message) error {
 	if sessionResp, ok := resp.(*sessionpkg.SessionResponse); ok {
-		flags := []string{"path=/"}
+		flags := []string{"path=/", "SameSite=lax", "httpOnly"}
 		if !a.Insecure {
 			flags = append(flags, "Secure")
 		}