redbot icon indicating copy to clipboard operation
redbot copied to clipboard

Published 20 hours ago verified publisher icon mnot

Cookie flags

Open mnot opened this issue 5 years ago • 4 comments

  • [ ] Secure
  • [ ] HTTPOnly
  • [ ] SameSite

others?

mnot avatar Apr 08 '19 23:04 mnot

Could this include checking for compliance with the prerequisites for cookies with __Secure- and __Host- prefixes perhaps?

Malvoz avatar Jul 22 '19 20:07 Malvoz

https://slides.com/maximtsoy/the-zen-of-cookies might help; in particular slide 30 (cc @muodov)

zcorpan avatar Jul 06 '20 21:07 zcorpan

You could also check for "cookie folding": multiple cookies in a single Set-Cookie header used to be supported, but not anymore.

muodov avatar Jul 10 '20 14:07 muodov

Not sure this is the right ticket to report it but related re SameSite. Redbot thinks it's invalid?

  • General:
    • The loid Set-Cookie header has an unknown attribute, 'SameSite'.
    • The session_tracker Set-Cookie header has an unknown attribute, 'SameSite'.
    • The csv Set-Cookie header has an unknown attribute, 'SameSite'.

Is that a known bug? Only thing I can think of is Reddit sends Secure before SameSite not after. Though the spec doesn't say it's invalid.

Scratch that.. one cookie does the reverse and still considered invalid

Set-Cookie: loid=randomstring; Domain=reddit.com; Max-Age=63071999; Path=/; expires=Wed, 04-Jan-2023 02:31:13 GMT; **secure; SameSite=None; Secure** 
Set-Cookie: session_tracker=randomstring; Domain=reddit.com; Max-Age=7199; Path=/; expires=Mon, 04-Jan-2021 04:31:13 GMT; secure; **SameSite=None; Secure**

Set-Cookie: csv=1; Max-Age=63072000; Domain=.reddit.com; Path=/; Secure; SameSite=None

Set-Cookie: edgebucket=random; Domain=reddit.com; Max-Age=63071999; Path=/;  secure

Server: snooserv

h1z1 avatar Jan 04 '21 02:01 h1z1