julianlam
commented
2 years ago This is weird, I wonder why that is. It almost looks like my understanding of httpOnly is incorrect... like I thought it stood for the opposite of secure.
Anyway, httpOnly should be always enabled.
Current behaviour is that
HttpOnlyis only true, if request is not encrypted, i.e. HTTP. Issue with wich is that cookie is set and removed from Google Chrome, ifHttpOnlyis false. Meaning, whenever cookie is requested by HTTPS, the cookie is not visible to client.Solution is to always set
HttpOnlyto true. This should also serve as a security improvement.https://github.com/julianlam/nodebb-plugin-session-sharing/blob/877b39169ce01de9d30008af8c77b1f0073ed16b/library.js#L599