Currently RUM supports local storage as fallback session store when the client runs in an environment which does not meet the requirements for cookie handling and allowFallbackToLocalStorage enabled.
I would love to see an option where we can enforce local storage as session store independently if the platform is available to store a cookie or not.
Reason
Like mentioned in #590 and #1346 web application security reports mark the session cookie as a low priority finding as it is non-HTTP only. If we, as application developers, could enforce the storage strategy, we could address these findings not by just "ignoring" it. If the fallback strategy works as fine as the cookie one or if there are some known limitations between the two, we should be able to make this decision.
Possible implementation
Update InitConfiguration interface with a new flag like enforceToLocalStorage
Update selectSessionStoreStrategyType to check the enforceToLocalStorage flag before check if platform is able to handle cookies
Hello Datadog!
Currently RUM supports local storage as fallback session store when the client runs in an environment which does not meet the requirements for cookie handling and
allowFallbackToLocalStorage
enabled.I would love to see an option where we can enforce local storage as session store independently if the platform is available to store a cookie or not.
Reason
Like mentioned in #590 and #1346 web application security reports mark the session cookie as a low priority finding as it is non-HTTP only. If we, as application developers, could enforce the storage strategy, we could address these findings not by just "ignoring" it. If the fallback strategy works as fine as the cookie one or if there are some known limitations between the two, we should be able to make this decision.
Possible implementation
InitConfiguration
interface with a new flag likeenforceToLocalStorage
enforceToLocalStorage
flag before check if platform is able to handle cookies