Set "Secure" flag in session cookie - Githubissues

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

https://authlib.org/

BSD 3-Clause "New" or "Revised" License

4.49k stars 448 forks source link

Set "Secure" flag in session cookie #553

Closed cristianbercu closed 1 year ago

cristianbercu commented 1 year ago

I have integrated Google Login and I have noticed there's a session cookie set by the initial route. I am using fastapi and my implementation is similar to the example here: https://github.com/authlib/demo-oauth-client/blob/master/fastapi-google-login/app.py#L41

The cookie only has these flags set which are fine for development: path=/; Max-Age=1209600; httponly; samesite=lax

However, in my live environment, I'd also like to set the Secure flag. How can I do that?

This is important to enforce passing cookies only over HTTPS. References: https://resources.infosecinstitute.com/topic/securing-cookies-httponly-secure-flags/ https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

lepture commented 1 year ago

This is not an Authlib issue. You can ask your question in stackoverflow.