cloudfront-auth icon indicating copy to clipboard operation
cloudfront-auth copied to clipboard

Published 20 hours ago verified publisher icon Widen

HttpOnly, Secure, SameSite=strict cookies

Open rtomlinson-latacora opened this issue 6 years ago • 3 comments

Hello,

I was wondering if there was a reason that the token cookie isn't using some of the properties listed in the title. I noticed that httpOnly is used for the 'NONCE' cookie on line 271 of index.js but wasn't seeing it anywhere else. I'll keep digging around but if ya'll had some insight already that would be super helpful. Thank you.

rtomlinson-latacora avatar Jun 05 '19 18:06 rtomlinson-latacora

I just added the secure, httpOnly, and sameSite flags to the TOKEN cookie and everything seems to be working fine

rtomlinson-latacora avatar Jun 05 '19 20:06 rtomlinson-latacora

Great! If you'd like to make a PR, I'd be happy to review and merge it :)

payton avatar Jun 06 '19 01:06 payton

Sounds good, however I've only vetted that the updated cookies work with GSuite's auth flow.

rtomlinson-latacora avatar Jun 06 '19 21:06 rtomlinson-latacora