Open Benjamin-K opened 11 months ago
Hi @Benjamin-K Thanks for your input!
For Flow.session.cookie.(secure|samesite)
I'm full in.
Where do the 24 minutes come from and not just 1800?
The Flow.http.applicationToken
I'd like to keep on "ApplicationName" because the system itself can usually be identified anyways and we as a community would affect the possibility for market share scanning.
I totally agree that applicationToken and security.cryptography.BCryptHashingStrategy.cost
both need more attention like a hint. But I don't like to copy default values and existing comments.
Hi @sbruggmann
Where do the 24 minutes come from and not just 1800?
the 24 minutes come from the PHP defaults. But i agree, that we could also use a value that's more in our default timings like 15 or 30 minutes (900 / 1800).
I also agree, that the Flow.http.applicationToken
should not be removed completely to share the awesome work behind Flow and Neos.
I'm also fine, if we do not add Flow.http.security
here, if we don't change a thing. Could be a small hint in the Readme, though, what do you think?
Hi @Benjamin-K
Sounds good 🙂
Just asking before i create a PR: Should we add stronger settings for the Production context to this package? I think sth. like the settings bellow should be the default in production. I kept the comments so someone who wants to have a different value can easily change it.