Current behaviour is that HttpOnly is only true, if request is not encrypted, i.e. HTTP. Issue with wich is that cookie is set and removed from Google Chrome, if HttpOnly is false. Meaning, whenever cookie is requested by HTTPS, the cookie is not visible to client.
Solution is to always set HttpOnly to true. This should also serve as a security improvement.
This is weird, I wonder why that is. It almost looks like my understanding of httpOnly is incorrect... like I thought it stood for the opposite of secure.
Current behaviour is that
HttpOnly
is only true, if request is not encrypted, i.e. HTTP. Issue with wich is that cookie is set and removed from Google Chrome, ifHttpOnly
is false. Meaning, whenever cookie is requested by HTTPS, the cookie is not visible to client.Solution is to always set
HttpOnly
to true. This should also serve as a security improvement.https://github.com/julianlam/nodebb-plugin-session-sharing/blob/877b39169ce01de9d30008af8c77b1f0073ed16b/library.js#L599