Session-Cookie cannot be set to secure

drogonframework / drogon

Drogon: A C++14/17/20 based HTTP web application framework running on Linux/macOS/Unix/Windows

MIT License

11.04k stars 1.06k forks source link

Session-Cookie cannot be set to secure #2072

Open Mai-Lapyst opened 1 week ago

Mai-Lapyst commented 1 week ago

Describe the bug There is no way of setting a session to secure.

To Reproduce

Enable sessions, set samesite to Lax or anything other than None
Start the app and use curl or the browser to send a request
Look at the Set-Cookie header

Expected behavior That a session cookie is by default, or can be set, to have the Secure attribute.

Mis1eader-dev commented 1 week ago

There is a secure setter in the Cookie class

Cookie cookie("key", "value");
cookie.setSameSite(SameSite::kLax);
cookie.setSecure(true);

Edit: You mean Drogon's built-in sessions?

Mis1eader-dev commented 1 week ago

Yeah I believe you mean Drogon sessions, it's not available right now, we can work on adding it in the config with an entry called "session_secure"

Mai-Lapyst commented 1 week ago

Yeah, my bug report is for session cookies i.e. the cookies set to provoide functionality to HttpRequestPtr req; req->session();, and activated by drogon::app().enableSession(24h, SameSite::kLax, "SOME_SESS_COOKIE");.