search

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony
https://getgrav.org
MIT License
14.59k stars 1.41k forks source link

[BugReport] Session cookie naming, failure to add __Secure- prefix #3773

Open Pancake11 opened 1 year ago

Pancake11 commented 1 year ago

Hi, I'm currently trying to set my session cookie to follow the MDN recommendation by adding the prefix __Secure- to my session cookie.

By putting __Secure-session_cookie in the session.name field of the user/config/system.yaml i get the following cookie name in my responses from the website secure-session-cookie, it seems that grav trims the leading underscores and puts everything in lowercase.

This issue appears with localhost and on a nginx hosted server.

yaml: 

session:
  enabled: true
  initialize: true
  timeout: 1800
  name: __Secure-session-cookie
  uniqueness: path
  secure: true
  secure_https: true
  httponly: true
  samesite: Lax
  split: true
  domain: null
  path: null

result in website: image

This appears using Microsoft Edge browser or by using wget.

Grav version: 1.7.43 Php version: 8.1.2

MDN link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes

Rotzbua commented 11 months ago

@Pancake11 I thought cookie prefix is obsolete if HSTS is used?

Pancake11 commented 11 months ago

Cookie prefix is not as usefull if it is used with HSTS, however I do think it is still relevant to add the support for this feature as it can be usefull for persons who can't or have not enabled HSTS yet.