Closed daifee closed 5 years ago
I found a bug when meet the following conditions:
Chrome 58
Reproduce the bug:
support config cookie secure
const cookieOpts = { domain: cookieDomain && cookieDomain(this), signed: false, httpOnly: false, overwrite: true, secure: this.app.config.security.csrf.cookieSecure }; this.cookies.set(cookieName, secret, cookieOpts);
Koa auto detects cookie secure
According to the issue you referred to koa, the proposal is rejected. Maybe you can redirect 80 to 443, and always use https.
I think expose the config is better. Koa can be configured, but egg-security hides it.
Background
I found a bug when meet the following conditions:
Reproduce the bug:
Proposal
support config cookie secure
Additional context
Koa auto detects cookie secure