Currently, the authentication support relies on cookies without the Secure flag enabled. This is mostly to facilitate local testing because recent browser releases have stopped including cookies on certain types of requests initiated by other origins. This broke the auth flow because redirects from an OpenID provider like Auth0 were being made such that the temporary auth state cookie was being omitted.
Some mechanism needs to be implemented to indicate to Nostalgie when it is running in a TLS-enabled environment.
ggoodman
commented
3 years ago
Currently, the authentication support relies on cookies without the
Secureflag enabled. This is mostly to facilitate local testing because recent browser releases have stopped including cookies on certain types of requests initiated by other origins. This broke the auth flow because redirects from an OpenID provider like Auth0 were being made such that the temporary auth state cookie was being omitted.Some mechanism needs to be implemented to indicate to Nostalgie when it is running in a TLS-enabled environment.