Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set the Secure flag on Popcode's session token cookie #1587

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

andy11
Copy link

@andy11 andy11 commented Oct 9, 2018

Sets the Secure flag to true on the Popcode's session token cookie.

It would be nice to also set the HttpOnly flag, but this is not supported: js-cookie/js-cookie#344.

NOTE: This should not be considered an important security issue, just a minor nit that's probably worth merging eventually :-)

@outoftime outoftime self-requested a review October 10, 2018 23:50
{expires: new Date(Date.now() + SESSION_TTL_MS)},
{
expires: new Date(Date.now() + SESSION_TTL_MS),
secure: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andy11 this seems like a reasonable change, but unfortunately it does break behavior in development, where people will typically not be running Popcode over https. So, we should make this behavior configurable, by:

  • Introducing an environment variable e.g. REQUIRE_SECURE_SESSION_COOKIE
  • Passing it through to the client-side code via Webpack (with a default of false)
  • Adding it with value true in our Travis configuration (I will do this once the code is ready)
  • Exposing it as a boolean via the config module

The specific behavior is retaining the user session on refresh—you’ll find that right now, if you log in and then refresh the page with this branch checked out, you’ll be logged back out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants