set Cookie prefix __Host- #99
Comments
|
Hi! That's intentional, it serves to be read by javascript in order to do things like session timeouts and so forth. The only thing it contains, is a timestamp, low risk. It is informational only. |
|
BTW, hope you are doing well! Happy new year! 🎉 |
|
Related to changing the cookie names, there was a PR open for customization at that level. I wouldn't be able to "change" things outright with a hardcode, that'd break everything and I'd become a homeless bum after our prod apps break and I get fired. Maybe though, we could explore the 'custom name'. It would mean rewriting a ton of tests though. Not sure it's worth it. |
|
I almost forgot. Happy new year. Hope everything went well for you. My system is and and running. Migration is done! Yehaaa!!! HTTPOnly isn't required for a prefix, so it would work. __Host- prefix: Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie I would hire you, when I had more money. :D When I have time I will check out the option for custom names for cookies. Would be a great feature, because a prefix is another security layer. |
|
Reminder: #28 |
|
I see. That was a TIL moment for me, I wasn't aware of semantics for names. Seems like such a bread and butter thing, but I've never come across it. Perhaps I can just add a flag. Rather than names, we can put a flag that reads "add_host_prefix" in config. It'd be too restrictive for my applications (subdomains get blocked looks like), but I see the value. |
To make the cookies more secure I would love to add the cookie prefix "__Host-". Would that be possible or do you see problems with that?
"_sessiont" maybe doesn't work with this prefix, because it doesn't has the HTTPOnly mode active.
The text was updated successfully, but these errors were encountered: