From 41cdc08b05d5dc2835ab0c62e4b175a279b0d731 Mon Sep 17 00:00:00 2001
From: davidby-influx <dbyrne@influxdata.com>
Date: Wed, 20 Dec 2023 09:56:31 -0800
Subject: [PATCH] fix: HttpOnly always true in cookies

---
 session/http_server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/session/http_server.go b/session/http_server.go
index f0e80da0a2e..b78d5fea8f7 100644
--- a/session/http_server.go
+++ b/session/http_server.go
@@ -208,7 +208,7 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled
 		Path:     "/api/", // since UI doesn't need it, limit cookie usage to API requests
 		Expires:  s.ExpiresAt,
 		SameSite: http.SameSiteStrictMode,
-		HttpOnly: tlsEnabled,
+		HttpOnly: true,
 		Secure:   tlsEnabled,
 	}