Vignette or clearer example: Setting HttpOnly Cookies

[jonthegeek]

1. Make sure this makes sense as-implemented.
2. Give at least a better example, and likely a vignette.

[avais88786]

Fairly new to R and trying to set cookie as http in RShiny App, looking for a simple example that I can re-implement.

Use Case wise -> Use logs in with their username/password on azure b2c login page, the redirect comes to rshiny app, in the server side, we call get_azure_token to get access token, need to save this token as http cookie in the user session

[jonthegeek]

@avais88786 Does it need to be http-only? I recommend trying the "normal" javascript versions first; that's what most tutorials on using cookies will help you implement. It's more secure to use http-only, but it isn't a base-level requirement.

I want to make sure I'm helping with the right thing; perhaps I just need to make it clearer what HttpOnly is for?

[avais88786]

@jonthegeek if its easier to put a sample then only.

Normal js cookies work perfect and got the app running 100% with them, just covering my base from corporate secuirty reqs if they raise for it to be httponly - in case.

Btw thanks for the library, works great :)

[jonthegeek]

Ok, great! I'm glad you were able to implement the JS workflow!

I'll probably write the HttpOnly vignette (if that's the route I take) with exactly this sort of case in mind: You already have it working, but now you want to punch up the security a bit.

I need to experiment a little to see if I can make things a little easier. Right now, the HttpOnly case uses some fairly advanced Shiny techniques (where you change the UI depending on whether or not they have the cookie, basically). You can see a demo in {[(https://github.com/r4ds/shinyslack)}, but I haven't updated that code in quite a while and I'm guessing it isn't very easy to follow!