Set Secure on the session removal cookie#268
Conversation
Browsers reject `__Host-`/`__Secure-`-prefixed cookies without Secure, so we must set session_config.secure on the cookie removal path.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #268 +/- ##
==========================================
- Coverage 87.85% 87.32% -0.53%
==========================================
Files 5 5
Lines 354 355 +1
==========================================
- Hits 311 310 -1
- Misses 43 45 +2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| cookie.set_domain(domain); | ||
| } | ||
|
|
||
| // Secure must be set because the removal is a Set-Cookie, |
There was a problem hiding this comment.
Is this comment saying that secure must be true? If so, it doesn't look like the code change is actually enforcing that.
There was a problem hiding this comment.
No, it's saying we must set secure based on the configured value. The wording was unclear. I've changed it to "Preserve the configured Secure attribute".
The reason is that some browsers enforce the cookie prefix rules for security, so if the user uses a cookie name like __Host-my-cookie, the browsers would reject the Set-Cookie if it doesn't have Secure. Since cookie removals are Set-Cookies too, they have to follow the same rules.
I think just using the user-configured secure would be enough, because the users would configure the attribute to whatever works for their use case (eg. secure=true for __Host-my-cookie, or secure=false for http), so the same attributes must also work for the removal Set-Cookie.
I've also added a test case for the secure=false case to better show we're not making it always true.
Browsers reject
__Host-/__Secure--prefixed cookies without Secure, so we must set session_config.secure on the cookie removal path.