Fix #63: better cookie policy

lib/Trog/Routes/HTML.pm

@@ -358,8 +358,10 @@ sub login ($query, $render_cb) {
         my $cookie = Trog::Auth::mksession($query->{username}, $query->{password});
         if ($cookie) {
             # TODO secure / sameSite cookie to kill csrf, maybe do rememberme with Expires=~0
+            my $secure = '';
+            $secure = '; Secure' if $query->{scheme} eq 'https';
             @headers = (
-                "Set-Cookie: tcmslogin=$cookie; HttpOnly",
+                "Set-Cookie: tcmslogin=$cookie; HttpOnly; SameSite=Strict$secure",
             );
             $query->{failed} = 0;
         }

lib/tCMS/Manual.pod

@@ -9,7 +9,7 @@ Run these makefile targets:
 
 From there, running tCMS is pretty simple:
 
-    starman www/server.psgi
+    starman --enable-ssl --ssl-key $MY_KEY_PATH --ssl-cert $MY_CERT_PATH www/server.psgi
 
 The application expects to run from the repository root.
 The first time you open the application, you will be presented with a first-time page that tells you to load /login.

www/server.psgi

@@ -130,6 +130,7 @@ my $app = sub {
     $query->{user}   = $active_user;
     $query->{domain} = $env->{HTTP_HOST};
     $query->{route}  = $path;
+    $query->{scheme}  = $env->{'psgi.url_scheme'} // 'http';
 
     my $output =  $routes{$path}{callback}->($query, \&_render);
     return $output;