Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to set a cookie as 'secure' #269

Open
ondrasak opened this issue Feb 19, 2018 · 4 comments
Open

Ability to set a cookie as 'secure' #269

ondrasak opened this issue Feb 19, 2018 · 4 comments

Comments

@ondrasak
Copy link

Problem

I need to set cookies with ability to flag them as 'secure'

Proposal

A) Set cookie as 'secure' implicitly if current protocol is 'https'

could bring unexpected issues (one is mentioned in the 'cons' list)

Pros

  • no need to extend the interface of the 'write' method

Cons

  • there could be situations when you'll need to set a cookie without this 'secure' flag (although an app is served by 'https' protocol)

B) Pass an options {isSecure: boolean} as 3th param to the 'write' method

Pros

  • ability to set if a cookie will be stored as secure or not

Cons

  • need to extend & maintain the interface of the 'write' method
@wstam88
Copy link

wstam88 commented Apr 18, 2018

Any updates about this issue?

@tam5 tam5 mentioned this issue Jul 19, 2018
Closed
@taylorgoolsby
Copy link

taylorgoolsby commented Dec 12, 2018
edited

Is there any other fallbacks for safari private mode besides cookies which is persistent across refreshes?

globalStorage, which looks like is based on persist-js, is silent on whether or not it supports safari private mode: jeremydurham/persist-js#39

I don't want to use cookieStorage without secure because I've heard about attacks (or accidents) where the client can be forced to send over http instead of https, and I put sensitive stuff in the client storage. It would be nice to have this layer of security which secure provides.

Also, as for option A versus option B as the OP describes, I like how option A is automatic and easier to maintain. I think it would be nice if option A was enabled by default, and you can pass a third parameter to disable it, so it's like a combination of both options.

@Lawlez
Copy link

Lawlez commented Aug 17, 2020

I am also looking for this functionality, I'm tasked with finding a solution for safari and the future updates to the rest of the browsers. There should be options to set any of the cookie attributes so we can still use store.js in the future.

Maybe it could also be added as a plugin to allow for more control when setting cookies?

see here for options / best practice: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

@mt-micky
Copy link

Why is this not merged yet?? :'(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow for cookies to be secure
5 participants
@ondrasak @wstam88 @Lawlez @taylorgoolsby @mt-micky