seanmonstar
commented
9 years ago Usually, a session cookie would never be accessed in the browser JavaScript, as that allows possible tampering, and the session only matters on the server.
Closed mariusk closed 9 years ago
seanmonstar
commented
9 years ago Usually, a session cookie would never be accessed in the browser JavaScript, as that allows possible tampering, and the session only matters on the server.
mariusk
commented
9 years ago This used to be the case for sure. I believe it is less and less so for modern/SPA type apps, where apps running in the browser both need to know IF the user is logged in, and also support a type of "cookielogin" (without password) to refresh the session if so. Assuming the cookie is secure/tamper-resistant, having it available in javascript shouldn't hurt, right (unless the crypto used is very weak). But I see your point as well; for stateless web apps access to the cookie should matter less.
mariusk
commented
9 years ago After I figured out this library does not clear the session cookie when calling reset(), I figured I needed to track the logged in state separately anyway, so I used a regular cookie instead. Which means there is no longer any need to attempt to read the cookie client side. Thanks.
Suggestion; set it to false by default, or at the very least state clearly in the docs that it is so. It seems counter intuitive that a session cookie can not be accessed by javascript by default. Isn't javascript exactly the place where one would want access to such items? IMHO.