New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set Secure
setting on AuthSession cookie for HTTPS pages
#3182
Comments
@alxndrsn please triage (close or schedule) |
Scheduling - this should be a quick win. |
Uses secure, httpOnly, and sameSite flags where possible to protect users from cookie hacking. medic/cht-core#3182
Code review please @SCdF Once this is merged leave it open and assign it back to me so I can test on an actual server using https. |
Back to you @garethbowen. Mostly fine, just a comment about implementation and security therein. |
Yeah good call. I've changed it to use the NODE_ENV environment variable which I think we're setting to production in medic-os. It's another thing I'll test when this gets merged. Please re-review @SCdF |
LGTM @garethbowen, back to you to test etc |
Uses secure, httpOnly, and sameSite flags where possible to protect users from cookie hacking. medic/cht-core#3182
Tested on alpha.dev works as expected. Leaving in AT so another pair of eyes can check it. For AT:
|
This should be done in api's login controller.
The text was updated successfully, but these errors were encountered: