From f9b176744e6a47837f6153b550a4117e9d453a45 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Mon, 9 Dec 2024 16:45:21 +0100
Subject: [PATCH] SAML2: add cookie with HttpOnly too #10013 (#10047)

---
 .../src/main/java/org/apache/cloudstack/saml/SAMLUtils.java      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
index 443091445b1c..fd68e2be1ae9 100644
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@@ -320,6 +320,7 @@ public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, fi
         String sessionKeyCookie = String.format("%s=%s;Domain=%s;Path=%s;%s", ApiConstants.SESSIONKEY, loginResponse.getSessionKey(), domain, path, sameSite);
         s_logger.debug("Adding sessionkey cookie to response: " + sessionKeyCookie);
         resp.addHeader("SET-COOKIE", sessionKeyCookie);
+        resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/client/api;%s", ApiConstants.SESSIONKEY, loginResponse.getSessionKey(), sameSite));
     }
 
     /**