wstam88
commented
6 years ago Any updates about this issue?
Open ondrasak opened 6 years ago
wstam88
commented
6 years ago Any updates about this issue?
taylorgoolsby
commented
5 years ago Is there any other fallbacks for safari private mode besides cookies which is persistent across refreshes?
globalStorage, which looks like is based on persist-js, is silent on whether or not it supports safari private mode: https://github.com/jeremydurham/persist-js/issues/39
I don't want to use cookieStorage without secure because I've heard about attacks (or accidents) where the client can be forced to send over http instead of https, and I put sensitive stuff in the client storage. It would be nice to have this layer of security which secure provides.
Also, as for option A versus option B as the OP describes, I like how option A is automatic and easier to maintain. I think it would be nice if option A was enabled by default, and you can pass a third parameter to disable it, so it's like a combination of both options.
Lawlez
commented
4 years ago I am also looking for this functionality, I'm tasked with finding a solution for safari and the future updates to the rest of the browsers. There should be options to set any of the cookie attributes so we can still use store.js in the future.
Maybe it could also be added as a plugin to allow for more control when setting cookies?
see here for options / best practice: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
mt-micky
commented
3 years ago Why is this not merged yet?? :'(
Problem
I need to set cookies with ability to flag them as 'secure'
Proposal
A) Set cookie as 'secure' implicitly if current protocol is 'https'
could bring unexpected issues (one is mentioned in the 'cons' list)
Pros
Cons
B) Pass an options
{isSecure: boolean}as 3th param to the 'write' methodPros
Cons