- changed status to open
Missing cookie flags
Issue #8
resolved
OMCT username: mb
OMCT drops a session cookie with all the security flags disabled, it's a good idea to turn them on:
secure
makes the browser delivering the cookie over HTTPS connections only, this is a quick and easy win since OMCT is HTTPS by defaultHTTP
makes the browser ignore any JavaScript requests to read the cookie and only deliver it through HTTP or HTTPS connections, this helps you defend your users against session stealing if an XSS is found in the app. This might be problematic to implement if your code relies on JavaScript to work on that session cookie. I strongly suggest to turn it on and we can chat offline if it's going to break the app on how to avoid thatSameSite
helps protect your users against CSRF attacks, try to set it to 'strict'
Comments (4)
-
-
- changed status to on hold
Ok, we'll discuss it!
-
- changed status to closed
Fixed.
Created [2048]⦿ for user:13[mb], with comment [Issue
#8]. -
- changed status to resolved
- Log in to comment