diff --git a/src/webui/api/appcontroller.cpp b/src/webui/api/appcontroller.cpp
index 04d3ae4a5..a8352a17b 100644
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@@ -239,6 +239,7 @@ void AppController::preferencesAction()
// Security
data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
+ data["web_ui_secure_cookie_enabled"] = pref->isWebUiSecureCookieEnabled();
data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
// Update my dynamic domain name
data["dyndns_enabled"] = pref->isDynDNSEnabled();
@@ -608,6 +609,8 @@ void AppController::setPreferencesAction()
pref->setWebUiClickjackingProtectionEnabled(it.value().toBool());
if (hasKey("web_ui_csrf_protection_enabled"))
pref->setWebUiCSRFProtectionEnabled(it.value().toBool());
+ if (hasKey("web_ui_secure_cookie_enabled"))
+ pref->setWebUiSecureCookieEnabled(it.value().toBool());
if (hasKey("web_ui_host_header_validation_enabled"))
pref->setWebUIHostHeaderValidationEnabled(it.value().toBool());
// Update my dynamic domain name
diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index a1ea0c51a..41a3b4e59 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -337,6 +337,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+ m_isSecureCookieEnabled = pref->isWebUiSecureCookieEnabled();
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
@@ -535,6 +536,7 @@ void WebApplication::sessionStart()
QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
cookie.setHttpOnly(true);
+ cookie.setSecure(m_isSecureCookieEnabled && m_isHttpsEnabled);
cookie.setPath(QLatin1String("/"));
QByteArray cookieRawForm = cookie.toRawForm();
if (m_isCSRFProtectionEnabled)
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index fdb62f714..cc716cb43 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -153,6 +153,7 @@ private:
QStringList m_domainList;
bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled;
+ bool m_isSecureCookieEnabled;
bool m_isHostHeaderValidationEnabled;
bool m_isHttpsEnabled;
QString m_contentSecurityPolicy;
diff --git a/src/webui/www/private/views/preferences.html b/src/webui/www/private/views/preferences.html
index b021b19a9..193376fa8 100644
--- a/src/webui/www/private/views/preferences.html
+++ b/src/webui/www/private/views/preferences.html
@@ -756,6 +756,10 @@
+
+
+
+