ColoradoRLA icon indicating copy to clipboard operation
ColoradoRLA copied to clipboard
verified publisher icon FreeAndFair

Use flags for cookies

Open ranweiler opened this issue 8 years ago • 4 comments

On the server, enable Secure and SameSite=Strict in the Set-Cookie header when in production mode (only). In all cases, enable HttpOnly for the session cookie and any other cookie that does not need to be accessible to scripts.

  • [x] HttpOnly
  • [ ] Secure
  • [ ] SameSite=Strict

ranweiler avatar Sep 11 '17 20:09 ranweiler

HttpOnly flag set (with corresponding client changes) in #677.

ranweiler avatar Sep 11 '17 20:09 ranweiler

Right now, the server does not know the difference between "production mode" and "not production mode"; I can add such a thing (if we think it's really important), but not immediately.

dmzimmerman avatar Sep 14 '17 00:09 dmzimmerman

@dmzimmerman let's move this to the final deliverable, as we've addressed the most critical part (HttpOnly for the session token).

ranweiler avatar Sep 20 '17 18:09 ranweiler

Do we need to do this for this week?

dmzimmerman avatar Oct 03 '17 17:10 dmzimmerman