From c05c5163e293c92f7e5562df558fe955c7075f7a Mon Sep 17 00:00:00 2001
From: W-Mark Kubacki <wmark@hurrikane.de>
Date: Sat, 16 Apr 2016 21:37:06 +0200
Subject: [PATCH] browse: Don't leak Cookies to sessions in HTTP from HTTPS

---
 middleware/browse/browse.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware/browse/browse.go b/middleware/browse/browse.go
index 0a874ec6..8caed54c 100644
--- a/middleware/browse/browse.go
+++ b/middleware/browse/browse.go
@@ -315,8 +315,8 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 			listing.Sort = sortCookie.Value
 		}
 	} else { // Save the query value of 'sort' and 'order' as cookies.
-		http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: "/"})
-		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
+		http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: bc.PathScope, Secure: r.TLS != nil})
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
 	}
 
 	if listing.Order == "" {
@@ -325,7 +325,7 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 			listing.Order = orderCookie.Value
 		}
 	} else {
-		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
 	}
 
 	listing.applySort()