Skip to content

Set Secure on the session removal cookie#268

Open
cocoliliace wants to merge 3 commits into
maxcountryman:mainfrom
cocoliliace:fix/removal-cookie-secure
Open

Set Secure on the session removal cookie#268
cocoliliace wants to merge 3 commits into
maxcountryman:mainfrom
cocoliliace:fix/removal-cookie-secure

Conversation

@cocoliliace

Copy link
Copy Markdown

Browsers reject __Host-/__Secure--prefixed cookies without Secure, so we must set session_config.secure on the cookie removal path.

Browsers reject `__Host-`/`__Secure-`-prefixed cookies without Secure,
so we must set session_config.secure on the cookie removal path.
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.32%. Comparing base (06f1dbb) to head (3801593).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #268      +/-   ##
==========================================
- Coverage   87.85%   87.32%   -0.53%     
==========================================
  Files           5        5              
  Lines         354      355       +1     
==========================================
- Hits          311      310       -1     
- Misses         43       45       +2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread src/service.rs Outdated
cookie.set_domain(domain);
}

// Secure must be set because the removal is a Set-Cookie,

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this comment saying that secure must be true? If so, it doesn't look like the code change is actually enforcing that.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it's saying we must set secure based on the configured value. The wording was unclear. I've changed it to "Preserve the configured Secure attribute".

The reason is that some browsers enforce the cookie prefix rules for security, so if the user uses a cookie name like __Host-my-cookie, the browsers would reject the Set-Cookie if it doesn't have Secure. Since cookie removals are Set-Cookies too, they have to follow the same rules.

I think just using the user-configured secure would be enough, because the users would configure the attribute to whatever works for their use case (eg. secure=true for __Host-my-cookie, or secure=false for http), so the same attributes must also work for the removal Set-Cookie.

I've also added a test case for the secure=false case to better show we're not making it always true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants