Closed joshmanders closed 9 months ago
Curious to know how httpOnly cookies can break with hx-boost
?
HttpOnly simply disallows clients from reading the cookie via JS, but they should still be sent via AJAX call
Hmmm, maybe I'm down the wrong path. I just have noticed since going into boost I am getting signed out after the session expiration time hits and the remember me token isn't set anymore when I reload after that time.
Lets let this PR cook a bit as I've got this edited into my node_modules version and I'll see if it makes a difference in a few hours when the session expires and the remember me token needs to do its job.
Some long waited tests have shown this isn't the issue of my logging out and seems to be a local only issue as prod is still logged in (using same code without this mod).
Sorry for wasting time.
Proposed changes
I ran into an issue where I am using htmx's
hx-boost="true"
for SPA like abilities in my app and all of the sudden I kept getting logged out even after settingRemember Me
on my auth session.I dug in and learned that the remember me token cookie is not respecting
config/app.ts#cookie.httpOnly
option and overrides it breaking remember me abilities even though session cookies are respecting that configuration.This PR removes that and defaults to the settings in your config for cookies so that way all cookies behave how you intend them to based on that configuration.
Types of changes
What types of changes does your code introduce?
Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...