session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon fastify

Questioning the plugin responsibility on checking secure connection

Open qnp opened this issue 4 months ago • 0 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the issue has not already been raised

Issue

Hello,

I'm questioning the relevance of checking whether the connection is secure before responding with a secure session cookie, as done here.

To my understanding, this is not the responsibility of the server to choose whether a secure cookie should be sent or not. It is the browser that own the responsibility of using cookies according to their policies. Hence, the cookie should always be set to the response, even though the subsequent unsecure connections cannot use the cookie. Am I missing something ?

References:

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#block_access_to_your_cookies
  • https://security.stackexchange.com/questions/251675/should-the-server-send-secure-cookies-on-unsecured-http-response

Best regards

qnp avatar Oct 17 '24 12:10 qnp