hmpf
commented
8 months ago We control nav_sessionid.
What about:
- statvisible
- PHPSESSID
Closed lunkwill42 closed 7 months ago
hmpf
commented
8 months ago We control nav_sessionid.
What about:
lunkwill42
commented
8 months ago * statvisible * PHPSESSID
You are referring to tests on an NMT (VK) server where these cookies have been observed. None of them appear to be relevant to NAV.
PHPSESSID is set by an NfSen instance on said server.
It remains unclear what is actually setting statvisible, but it is still likely a third party web tool, as there are no references to it in NAV.
Describe the bug
NAV doesn't employ the
Secureattribute on its session cookie. Whenever NAV is configured to be served over HTTPS, this should be part of the cookie.This would normally be accomplished by setting
SESSION_COOKIE_SECURE = Truein the site settings. However, ATM, the NAV code base doesn't sufficiently support differentiating between development settings and production settings. In most development environments, NAV will NOT be served over HTTPS, only HTTP. Also, some users might, for some strange reason, opt to serve NAV on a non-SSL site also in production (in most common configurations, this is set up entirely outside of NAV, in the web server config).Because of these considerations, a new option for this might actually be needed in
etc/webfront/webfront.conf, so the user can control the option.Environment (please complete the following information):