Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

anit-csrf cookies with nonces only work on https #6

Closed
mrjones-plip opened this issue Mar 20, 2017 · 1 comment
Closed

anit-csrf cookies with nonces only work on https #6

mrjones-plip opened this issue Mar 20, 2017 · 1 comment

Comments

@mrjones-plip
Copy link
Contributor

the 1.1 release breaks computability with http only sites because the cookie is set with the "secure" flag and then (correctly) not sent on subsequent http requests. we either need to very clearly call out that we don't support http traffic or offer an unsafe mode for the library to work in. given the nature of the library (writing to a db), the former is likely a good fix.

the bummer is this breaks the ol' php -S localhost:8000 trick as it doesn't support ssl. hmm....
mrjones-plip pushed a commit that referenced this issue Apr 11, 2017
add security docs per #5, add dev process with no ssl per #6, sort en…
b1920a3 
…um/drop down per #7, prep 1.3 release
mrjones-plip pushed a commit that referenced this issue Apr 11, 2017
Merge pull request #8 from Packet-Clearing-House/1.3
da47b09 
add security docs per #5, add dev process with no ssl per #6, sort enum/drop down per #7, prep 1.3 release
@mrjones-plip
Copy link
Contributor Author

fixed in PR #8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mrjones-plip