Cookies com.auth0.auth.* have no secure flag

[azat-galiev]

Description

Cookies created after calling to WebAuth.authorize method have no secure flag when using https protocol.

Reproduction

1. Call WebAuth.authorize method.
2. It will create cookie that starts with "com.auth0.auth".
3. Even if you are using https protocol, there is no secure flag on cookie.

Environment

Please provide the following:

• Version of this library used: 9.11.3
• Version of the platform or framework used, if applicable: Angular 8.2.8

[joshcanhelp]

@garyfreeman - The cookie that it's setting with that name is just a nonce/state value, something that's not important to protect and only used be Auth0.js. We set the cookie, attach the value to the authorize URL, redirect, then check the value when it comes back. There's nothing in that value that's sensitive and it's not meant to be sent anywhere.

I'll close this for now but let me know if you have any other questions here.

[jgautheron]

@joshcanhelp - Even though no critical data is stored, for some security audits, any cookie that is not secured will be a blocking issue. Any chance we could add the option to add the secure flag to the cookies?

[andrewphahn]

This is a blocking issue for us after having penetration test done as @jgautheron stated it could be. It seems like a simple fix, would it be possible to address this?

The co/verifier* cookies are also missing the secure flag.

[5sp]

@joshcanhelp, this has been a blocking issue for us with pen test. Same as @andrewphahn and @jgautheron mentioned above.
Any ideas how to avoid/bypass this issue?

[stevehobbsdev]

We can probably do something like what we do here in Auth0 SPA SDK, we we set the secure attribute if you're using the HTTPS scheme - does this work?

[5sp]

We can probably do something like what we do here in Auth0 SPA SDK, we we set the secure attribute if you're using the HTTPS scheme - does this work?

@stevehobbsdev, this looks like a great solution.
EDIT:
From what I can see currently, com.auth0.auth*, co/verifier* and authToken are insecure.
Only com.auth0.auth* is a problem for pentesting

[stevehobbsdev]

I've raised #1158 that should fix this, will be included in the next release 👍

[NikitaKoren]

@stevehobbsdev great job! When is next release is scheduled for?

[stevehobbsdev]

@NikitaKoren We don't have a schedule as such, but there is a piece of work in flight that we want to put into the release as well. I anticipate being able to do a release early next week.