CSSS / csss-site-backend

CSSS Website Backend (2024 - Present)
4 stars 0 forks source link

Only pass session id cookie to api #65

Open EarthenSky opened 3 months ago

EarthenSky commented 3 months ago

Note that if a cookie's SameSite attribute is set to Strict or Lax, then the cookie will not be sent cross-site, even if credentials is set to include.

We should look into only sending the session id cookie to the api endpoint.

Since our session tokens are reasonably sized (& intended to be private), it's a good idea to not go throwing them at every page & resource GET. There's no security or performance issue of course (latency is way slower than several bytes of data), but it's a good idea to only do what's necessary.

Unless of course, we have some need in the future for non-api pages to serve restricted content? (https://github.com/CSSS/csss-site-backend/issues/54)

micahdbak commented 3 months ago

FYI I'm pretty sure this is only something that can be configured from the frrontend

micahdbak commented 3 months ago

but if it can be enforced by the backend somehow that would be kewl

EarthenSky commented 3 months ago

Cookies are intended to be issued by servers. They're a method by which a server can store data on the client. Local storage is how a client can store data on the client & not automatically sent it to the server (🔥). It's true that clients can create cookies, but it's not a great idea unless it's intended to communicate with the server somehow.

Give a quick scan through the mozzilla page for it

You'll see in auth/login the cookie is set by the server. This is where we'd want to look into adding attributes to it.

Of course, maybe it's not even worth it as mentioned above.

micahdbak commented 3 months ago

Right yes, but what I mean is that the server issues the auth cookie, but once it's in the client's browser, the server can't really force the client to not send the cookie for GET requests, but do send the cookie for other requests - or at least not that I know of.

I think to prevent the client sending certain cookies, or any cookies for certain requests, this is something that must be done from inside the Fetch API

EarthenSky commented 3 months ago

at least not that I know of

See the same site attribute I linked to at the beginning of this PR \:)

Though actually, it seems that wasn't the exact attribute we'd care about, instead the path attribute is the one we'd care about

micahdbak commented 3 months ago

Ahh, yeah, I've read about same site before and was like, this isn't gonna work for this case 🤣

Restricting to the path would definitely fix this, and that's something the backend can do

micahdbak commented 3 months ago

Nice!