The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
BSD 3-Clause "New" or "Revised" License
4.49k
stars
448
forks
source link
Set "Secure" flag in session cookie #553
Closed
cristianbercu closed 1 year ago
I have integrated Google Login and I have noticed there's a session cookie set by the initial route. I am using fastapi and my implementation is similar to the example here: https://github.com/authlib/demo-oauth-client/blob/master/fastapi-google-login/app.py#L41
The cookie only has these flags set which are fine for development:
path=/; Max-Age=1209600; httponly; samesite=lax
However, in my live environment, I'd also like to set the
Secure
flag. How can I do that?This is important to enforce passing cookies only over HTTPS. References: https://resources.infosecinstitute.com/topic/securing-cookies-httponly-secure-flags/ https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies