github-actions[bot]
commented
3 months ago Hello @nilldot, thanks for contributing to the Password Pusher community! We will respond as soon as possible.
Open nilldot opened 3 months ago
github-actions[bot]
commented
3 months ago Hello @nilldot, thanks for contributing to the Password Pusher community! We will respond as soon as possible.
pglombardo
commented
3 months ago Hi @nilldot - That session cookie is set by the Password Pusher code base and it follows the access pattern - HTTPS --> secure cookie, HTTP --> http cookie.
Are you accessing pwpush over an SSL connection?
nilldot
commented
3 months ago Yes, the site is behind the TLS/https. Odd
pglombardo
commented
3 months ago What are you using for SSL termination? Are you forwarding the X-Forwarded-Proto header to the backend? That might be a cause for insecure cookies.
I have a short write up on proxy headers here.
Hi, Is there a way to set _PasswordPusher_session cookies to secure only? It is currently set to HTTP, hence insecure.
Thank you