grav icon indicating copy to clipboard operation
grav copied to clipboard
verified publisher icon getgrav

[BugReport] Session cookie naming, failure to add __Secure- prefix

Open Pancake11 opened this issue 2 years ago • 2 comments

Hi, I'm currently trying to set my session cookie to follow the MDN recommendation by adding the prefix __Secure- to my session cookie.

By putting __Secure-session_cookie in the session.name field of the user/config/system.yaml i get the following cookie name in my responses from the website secure-session-cookie, it seems that grav trims the leading underscores and puts everything in lowercase.

This issue appears with localhost and on a nginx hosted server.

yaml:

session:
  enabled: true
  initialize: true
  timeout: 1800
  name: __Secure-session-cookie
  uniqueness: path
  secure: true
  secure_https: true
  httponly: true
  samesite: Lax
  split: true
  domain: null
  path: null

result in website: image

This appears using Microsoft Edge browser or by using wget.

Grav version: 1.7.43 Php version: 8.1.2

MDN link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes

Pancake11 avatar Nov 13 '23 15:11 Pancake11

@Pancake11 I thought cookie prefix is obsolete if HSTS is used?

Rotzbua avatar Dec 11 '23 21:12 Rotzbua

Cookie prefix is not as usefull if it is used with HSTS, however I do think it is still relevant to add the support for this feature as it can be usefull for persons who can't or have not enabled HSTS yet.

Pancake11 avatar Dec 12 '23 14:12 Pancake11