Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider marking the IdentityServer session cookies with __Host prefix #1513

Open
AndersAbel opened this issue Jan 18, 2024 · 0 comments
Open

Consider marking the IdentityServer session cookies with __Host prefix #1513

AndersAbel opened this issue Jan 18, 2024 · 0 comments
Labels
feature idea
Milestone
Future

Comments

@AndersAbel
Copy link
Member

The __Host prefix enforces security rules on the cookie. Consider renaming both the main Identityserver session cookie idsrv and the temp external cookie to add the __Host prefix.

The __Host prefix does not interfere with cross site usage for front channel logout or session management, so it shouldn't break anything.

It would however enforce deployment best practices:

  • Having IdentityServer as an own host
  • Always use https.
@brockallen brockallen added this to the Future milestone Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature idea
Projects
None yet
Milestone
Future
Development

No branches or pull requests
2 participants
@brockallen @AndersAbel