Minor change to provide more security on the session cookie:
Enforce HttpOnly on the cookie to protect it from potential XSS attacks
Add support for Secure flag on cookie
Enable setting the path on cookie:
I noticed that if you authenticate on anything but on the "/" path, the cookie is created with that path. This leads to multiple cookies in the browser set to different paths. Setting the path to "/" fixes that.
Example:
Browse to my domain.com/app/static/image.jpg => Cookie Path: /app/static
Browse to my domain.com/app/static => Cookie Path: /app
Browse to my domain.com => Cookie Path: /
I think for most use cases, having the path on / would makes sense.
Minor change to provide more security on the session cookie:
Secureflag on cookieI noticed that if you authenticate on anything but on the "/" path, the cookie is created with that path. This leads to multiple cookies in the browser set to different paths. Setting the path to "/" fixes that.
Example:
I think for most use cases, having the path on / would makes sense.