An advanced web frontend for the modmail discord bot with built in Discord OAuth2 authentication, and support for browsing and searching current and historical logs. Directly replaces logviewer.
MIT License
10
stars
4
forks
source link
Cookies are always set as secure regardless of whether https is used #41
Chrome requires secure cookies be sent over a secure conenction, but currently, state and auth cookies are always set as secure, even if https is disabled. Ideally everyone who uses Auth also connects via https, but we should still allow auth over insecure connections.
To fix, cookies should either be set to secure only if https is enabled, or be independently disabled or enabled with a different config option. Setting Secure based only off https being enabled will cause problems with users that don't enable https in app but do have a reverse proxy in front of their application providing and terminating ssl connections, in which case we want cookies to be set as secure.
Chrome requires secure cookies be sent over a secure conenction, but currently, state and auth cookies are always set as secure, even if https is disabled. Ideally everyone who uses Auth also connects via https, but we should still allow auth over insecure connections.
To fix, cookies should either be set to secure only if https is enabled, or be independently disabled or enabled with a different config option. Setting Secure based only off https being enabled will cause problems with users that don't enable https in app but do have a reverse proxy in front of their application providing and terminating ssl connections, in which case we want cookies to be set as secure.