DharunKumar04
commented
11 months ago Hi @enver-bisevac
Thank you for your feedback and the reference to the MDN documentation on cookies.As you mentioned, a cookie with the 'Secure' attribute is sent to the server only with an encrypted request over the HTTPS protocol.I understand the concern and would like to clarify my approach The reason for enforcing the 'Secure' attribute as true in the includeTokenCookie and deleteTokenCookieIfPresent functions is to provide an explicit security measure. Since the authentication token cookie lacks the 'Secure' attribute, it maybe sent in plaintext over an unencrypted HTTP connection.And attackers can use this vulnerability as an attack surface.
By setting the secure attribute to true it serves as a clear indication that these cookies should only be transmitted over HTTPS, aligning with the best practices outlined in the MDN documentation.And also explicitly setting 'Secure' within these functions, we adopt a defensive coding approach. This ensures that even if the isSecure variable in the newEmptyTokenCookie function were to change in the future due to code evolution, our security measure remains intact.
If you believe it's unnecessary for our codebase or if there are better ways to handle this, please let me know, or we can close this pull request.Thanks :)
CLAassistant
This pull request addresses the security issue raised by Snyk regarding sensitive cookies in the account package not having the '
Secure' attribute set. The 'Secure' attribute is essential for ensuring that cookies are transmitted securely over HTTPS, preventing potential man-in-the-middle attacks.Changes Made:
includeTokenCookie' and 'deleteTokenCookieIfPresent' functions.Secure' attribute is set to true when the request is made over HTTPS, ensuring that sensitive cookies are only sent over encrypted connections.