search

Saeven / zf3-circlical-user

Turnkey Authentication, Identity, and RBAC for Laminas and Zend Framework 3. Supports Doctrine and Middleware.
Mozilla Public License 2.0
36 stars 15 forks source link

set Cookie prefix __Host- #99

Open CreativeNative opened 2 years ago

CreativeNative commented 2 years ago

To make the cookies more secure I would love to add the cookie prefix "__Host-". Would that be possible or do you see problems with that?

"_sessiont" maybe doesn't work with this prefix, because it doesn't has the HTTPOnly mode active.

Saeven commented 2 years ago

Hi! That's intentional, it serves to be read by javascript in order to do things like session timeouts and so forth. The only thing it contains, is a timestamp, low risk. It is informational only.

Saeven commented 2 years ago

BTW, hope you are doing well! Happy new year! 🎉

Saeven commented 2 years ago

Related to changing the cookie names, there was a PR open for customization at that level. I wouldn't be able to "change" things outright with a hardcode, that'd break everything and I'd become a homeless bum after our prod apps break and I get fired.

Maybe though, we could explore the 'custom name'. It would mean rewriting a ton of tests though. Not sure it's worth it.

CreativeNative commented 2 years ago

I almost forgot. Happy new year. Hope everything went well for you. My system is and and running. Migration is done! Yehaaa!!!

HTTPOnly isn't required for a prefix, so it would work.

Host- prefix: Cookies with names starting with Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

I would hire you, when I had more money. :D When I have time I will check out the option for custom names for cookies. Would be a great feature, because a prefix is another security layer.

CreativeNative commented 2 years ago

Reminder: https://github.com/Saeven/zf3-circlical-user/pull/28

Saeven commented 2 years ago

I see. That was a TIL moment for me, I wasn't aware of semantics for names. Seems like such a bread and butter thing, but I've never come across it.

Perhaps I can just add a flag. Rather than names, we can put a flag that reads "add_host_prefix" in config. It'd be too restrictive for my applications (subdomains get blocked looks like), but I see the value.