Skip to content

fix: omit Secure attribute from cookies when cookie_secure is false#730

Merged
fergusfinn merged 2 commits intomainfrom
fix/cookie-secure-attribute
Feb 18, 2026
Merged

fix: omit Secure attribute from cookies when cookie_secure is false#730
fergusfinn merged 2 commits intomainfrom
fix/cookie-secure-attribute

Conversation

@fergusfinn
Copy link
Contributor

@fergusfinn fergusfinn commented Feb 18, 2026
edited
Loading

Summary

  • When cookie_secure is set to false, the Set-Cookie header was emitting Secure=false. Per the HTTP spec, Secure is a boolean flag — its mere presence causes browsers to treat the cookie as secure-only, regardless of value. Secure=false is not valid syntax and browsers interpret it the same as Secure, preventing the cookie from being set over plain HTTP.
  • Also fixes the logout handler which hardcoded ; Secure regardless of the cookie_secure config setting.

Test plan

  • Set cookie_secure: false in config.yaml
  • Login and verify the Set-Cookie response header does not contain Secure
  • Set cookie_secure: true and verify ; Secure is present
  • Verify logout cookie also respects the setting

@fergusfinn
fix: omit Secure attribute from cookies when cookie_secure is false
b9ba378 
The Set-Cookie header was emitting `Secure=false` when cookie_secure
was disabled. Per the HTTP spec, the Secure attribute is a flag — any
presence of it (including `Secure=false`) causes browsers to treat the
cookie as secure-only, preventing it from being set over plain HTTP.

This also fixes the logout cookie which hardcoded `Secure` regardless
of the cookie_secure config setting.
Copilot AI review requested due to automatic review settings February 18, 2026 13:47
@railway-app railway-app bot temporarily deployed to industrious-light / control-layer-pr-730 February 18, 2026 13:47 Destroyed
@railway-app
Copy link

railway-app bot commented Feb 18, 2026
edited
Loading

🚅 Deployed to the control-layer-pr-730 environment in industrious-light

Service Status Web Updated (UTC)
control-layer ✅ Success (View Logs) Web Feb 18, 2026 at 2:02 pm

@fergusfinn fergusfinn requested a review from sejori February 18, 2026 13:51
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a critical security misconfiguration in cookie handling. When cookie_secure is set to false, the code was incorrectly emitting Secure=false in the Set-Cookie header. Per the HTTP specification, the Secure attribute is a boolean flag, and any presence of it (even with =false) causes browsers to treat the cookie as secure-only, preventing it from being set over plain HTTP. The fix correctly omits the Secure attribute entirely when cookie_secure is false.

Changes:

  • Modified logout handler to conditionally include the Secure cookie attribute based on cookie_secure configuration
  • Modified create_session_cookie helper function to conditionally include the Secure attribute, fixing both login and register handlers

@railway-app railway-app bot temporarily deployed to industrious-light / control-layer-pr-730 February 18, 2026 13:53 Destroyed
sejori
sejori reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@sejori sejori left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

dwctl/src/api/handlers/auth.rs
"{}=; Path=/; HttpOnly; Secure; SameSite=Strict; Max-Age=0",
state.config.auth.native.session.cookie_name
"{}=; Path=/; HttpOnly{}; SameSite=Strict; Max-Age=0",
state.config.auth.native.session.cookie_name, secure
Copy link
Contributor

@sejori sejori Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it 🔥

Copy link
Contributor

@sejori sejori Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually don't love rust templating that much but the result is good ;)

@fergusfinn fergusfinn merged commit e6f936e into main Feb 18, 2026
10 checks passed
@pjb157 pjb157 mentioned this pull request Feb 18, 2026
Merged
fergusfinn pushed a commit that referenced this pull request Feb 19, 2026
@pjb157
chore(main): release 8.1.0 (#732)
29f6852 
🤖 I have created a release *beep* *boop*
---


##
[8.1.0](v8.0.1...v8.1.0)
(2026-02-19)


### Features

* make demo mode data more realistic
([#731](#731))
([17aa9bf](17aa9bf))


### Bug Fixes

* advance to step 2 when manually configuring models in edit endpoint
modal ([#728](#728))
([fdcf360](fdcf360))
* omit Secure attribute from cookies when cookie_secure is false
([#730](#730))
([e6f936e](e6f936e))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sejori sejori sejori left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fergusfinn @sejori

Comments