Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cookieMaxAge and secureCookies options #1612

Merged
merged 8 commits into from
Sep 11, 2019
Merged

Add cookieMaxAge and secureCookies options #1612

merged 8 commits into from
Sep 11, 2019

Conversation

MadeByMike
Copy link
Contributor

@MadeByMike MadeByMike commented Sep 11, 2019
edited

Resolves #1596 and #1595

I followed the pattern of adding options to the keystone object. Not sure if I should have grouped these under cookies or something, we're getting quite a few config options here and I'm not sure these should be on the Keystone constructor?

We could probably save the above for a more general discussion in future.

For both options I've set defaults for dev and production - Can you check these are right?

Can I also get some help on how best to test this? Commits welcome.

@changeset-bot
Copy link

changeset-bot bot commented Sep 11, 2019
edited

🦋 Changeset is good to go

Latest commit: 69a3196

We got this.

Not sure what this means? Click here to learn what changesets are.

@jesstelford
Copy link
Contributor

Yeah, it's starting to get a bit crowded there.

I'm thinking perhaps we have a session config option which is an object that contains some things.

One thing I realised about #1596 is the maxAge doesn't actually invalidate the session. So it gives a false sense of security. Really we need to make sure the sessionStore is the one given that setting, but since we don't control that, we can't. Chicken & Egg.

@timleslie
Copy link
Contributor

I'm thinking perhaps we have a session config option which is an object that contains some things.

Yeah, I'm a big fan of that kind of grouping. Doesn't have to be on this PR, but something to consider for the future.

timleslie
timleslie approved these changes Sep 11, 2019
View reviewed changes
Copy link
Contributor

@timleslie timleslie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@MadeByMike MadeByMike merged commit 0a627ef into master Sep 11, 2019
@MadeByMike MadeByMike deleted the session-security branch September 11, 2019 01:49
@MadeByMike MadeByMike mentioned this pull request Sep 11, 2019
Closed
@molomby molomby mentioned this pull request May 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timleslie timleslie timleslie approved these changes

@jesstelford jesstelford Awaiting requested review from jesstelford

@emmatown emmatown Awaiting requested review from emmatown

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configurable cookie settings for keystone.sid
3 participants
@MadeByMike @jesstelford @timleslie