[BugReport] Session cookie naming, failure to add __Secure- prefix

[Pancake11]

Hi, I'm currently trying to set my session cookie to follow the MDN recommendation by adding the prefix __Secure- to my session cookie.

By putting __Secure-session_cookie in the session.name field of the user/config/system.yaml i get the following cookie name in my responses from the website secure-session-cookie, it seems that grav trims the leading underscores and puts everything in lowercase.

This issue appears with localhost and on a nginx hosted server.

yaml:

session:
  enabled: true
  initialize: true
  timeout: 1800
  name: __Secure-session-cookie
  uniqueness: path
  secure: true
  secure_https: true
  httponly: true
  samesite: Lax
  split: true
  domain: null
  path: null

result in website:

This appears using Microsoft Edge browser or by using wget.

Grav version: 1.7.43
Php version: 8.1.2

MDN link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes

[Rotzbua]

@Pancake11 I thought cookie prefix is obsolete if HSTS is used?

[Pancake11]

Cookie prefix is not as usefull if it is used with HSTS, however I do think it is still relevant to add the support for this feature as it can be usefull for persons who can't or have not enabled HSTS yet.