FroMage
commented
1 year ago Yeah, good point. Do you feel like providing a PR? :)
Closed horvie closed 1 year ago
FroMage
commented
1 year ago Yeah, good point. Do you feel like providing a PR? :)
horvie
commented
1 year ago No problem. Will give it a try.
FroMage
commented
1 year ago Great!
FroMage
commented
1 year ago Let me know if you have any question :)
FroMage
commented
1 year ago Closed by #127
Currently all cookies have the attribute "Secure" set to false (the default value). That is expected for tests and dev mode, but usualy in production people serve the app over HTTPS; and that shouldn't be the case.
AFAIK the standard approach is to call Cookie.setSecure(HttpServerRequest.isSSL()) when creating new cookies. That should work well for all the above cases, without the need for additional configuration.
Quote from OWASP:
The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers which support the secure attribute will only send cookies with the secure attribute when the request is going to an HTTPS page. Said in another way, the browser will not send a cookie with the secure attribute set over an unencrypted HTTP request. By setting the secure attribute, the browser will prevent the transmission of a cookie over an unencrypted channel.