Allowing clearing of cookies with options. #966
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -42,8 +42,21 @@ class Lucky::CookieJar | |
| {% raise "use CookieJar#delete instead of CookieJar#unset" %} | ||
| end | ||
|
|
||
| # Clear cookies without any specific options. | ||
| def clear : Void | ||
| clear { } | ||
| end | ||
|
|
||
| # Clear cookies with a block to add specific options. | ||
| # | ||
| # jar.clear do |cookie| | ||
| # cookie.path("/") | ||
| # .http_only(true) | ||
| # .secure(true) | ||
| # end | ||
| def clear(&block : HTTP::Cookie ->) : Void | ||
|
There was a problem hiding this comment. I'm not 100% sure I understand the use case. Are you saying that clear doesn't actually clear the cookie? If so should we automatically set the options or something rather than making people pass a block? There was a problem hiding this comment. Exactly, you think you are clearing the cookies but the browser blissfully ignores it if the options don't match. Can't really guess at the options either as there is no way to tell what they were set to originally. I learned this the hard way since the cookies weren't being deleted. I figured out this was the case. I'm going to test this in a bit more of a "production" setup early next week. I'll let you know how that goes. There was a problem hiding this comment. Maybe we need to do something like Explicitly set the cookie if it is empty? Right now I think it does nothing if there are no cookies. lucky/src/lucky/session_handler.cr Lines 21 to 23 in 956d3ab So maybe we need to set a But I'm not sure :) There was a problem hiding this comment. I found the spot in rails that mentions the domain has to be the same as when it's set and deleted. I really think it's a browser "feature". Probably some security related concern. There was a problem hiding this comment. Ah I see! Ok so I think we need a couple things here.
I'd say the current way is a potential security risk because it'd be easy to call session.clear for example and if you set a domain it would not actually clear it out There was a problem hiding this comment. This looks close. I think we should also add a I also think it'd be cool to read the existing cookies and automatically set the domain option when clearing so that it works as you'd expect, but that could come in a later PR. Here's some rough pseudo code for what I mean cookies.each do |cookie|
delete cookie.name do |cookie|
# Set the domain for the user
cookie.domain = cookie.domain
end
endI don't know if that works as-is, but that's kind of what I'm imagining. Or maybe There was a problem hiding this comment. Also along with cookies (maybe in another PR), we should probably think about this whole chrome deal https://adzerk.com/blog/chrome-samesite/ There was a problem hiding this comment. Just to make sure I understand, you're proposing adding a method for setting samesite, right? If so I think that is a good idea. It could accept an enum for the accepted values to keep it nice and safe. I think that should be a separate PR, but yeah this would be a great security feature There was a problem hiding this comment. Ok, just having come across this in rails... we need to NOT do what rails is doing... unless it's been fixed in 6... I have a signed cookie that no matter what combination I do, I can't get rails to delete it, and it's maddening. |
||
| cookies.each do |cookie| | ||
| yield cookie | ||
| delete cookie.name | ||
| end | ||
| end | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SUPERFREAK!