Cookie: Use SameSite=Strict if secure

GedMarc / layout

jQuery UI Layout v1.x plugin

Other

54 stars 24 forks source link

Cookie: Use SameSite=Strict if secure #16

Closed melloware closed 4 years ago

melloware commented 4 years ago

I use the client side cookie storage of Layout to remember my layout. The cookie needs to add SameSite=Strict and secure=true if the URL is HTTPS.

We need to detect if the url is HTTPS
If yes apply both secure=true and SameSite=Strict to the cookie.

melloware commented 4 years ago

I think we should dump the jquery.cookie.plugin and switch to js.cookie 3.0.0 here which supports the SameSite attribute. https://github.com/js-cookie/js-cookie

then whenever you create a cookie just need to do this...

if (location.protocol === 'https:') {
    cfg.secure = true;
    cfg.sameSite = 'Strict';
}

Cookies.set(name, value, cfg);

GedMarc commented 4 years ago

Hmm, the problem here is actually the usage of a cookie. This is session or permanent state, so it doesn't belong in a cookie at all, but rather local storage or session storage.

To do what you want from prime faces though with the current build you can set the properties

cookie.secure=true
cookie.expires=
cookie.autoSave=
cookie.autoLoad=

I'll do a sp1 release with same site and httponly settings

Going forward though, I'm going to be focusing on the removal of cookie access completely, it is definitely not the right place for it, although obviously back in the day it was the only option

GedMarc commented 4 years ago

SP1 Release

New Options

myLayout = $("body").layout({
       stateManagement__enabled:    true // enable stateManagement - automatic cookie 
            ,stateManagement: {
               enabled: true
              , cookie:{ secure:true}
            }
});

The cookie option has a range of options as above to accomplish.

This will be the last release of using cookies for state management, all future releases will use session storage or local storage with a state-per-tab option.

melloware commented 4 years ago

I think that is a great idea getting rid of cookies for local storage!

melloware commented 4 years ago

Although I thought HttpOnly meant the cookie could not be read by JavaScript?

GedMarc commented 4 years ago

Yeah, there's a readCookie method that reads the cookie from JS, so for this library, would completely break that functionality - :)

GedMarc commented 4 years ago

Cookie state management removed

melloware commented 4 years ago

Nice work this is a huge imrpovement and lets you remove all that cookie plugin and handling code! Win Win.