Join GitHub today
Modify the cookie name to be specific to the hostname #1688
This change changes the session cookie name to be distinct across all apps by adding a prefix based on the lower-cased application name that we put in the session. This should help prevent different apps attempting to decode and use the same session data.
In a separate PR I will experiment with explicitly setting the domain on the cookies as we create them but I felt it was too much for this PR.
I don't really see the point of having the
The best test for this is to log into the website with developer tools into each app so you can see the session cookie name. You'll now see these distinct cookie names:
Now try logging out, you should see only the cookie for your app deleted and not the others.
Also, I used the Application Name as the prefix instead of using the subdomain of the application (which is unreliable). I think that makes this pretty solid overall.
Code Review Verification Steps
tinyels left a comment
We are being pretty inconsistent about using "mil" in some places and "my" in others. Given that the app is not longer called mymove, I think we need a better internal name for the service member app. One that doesn't sound like it was written in Visual Basic ;)
@pjdufour-truss - Deployed to experimental. Verified it worked:
I logged into https://my.experimental.move.mil and received
The consequence of this deploy means logged-in users will have to re-authenticate with Login.gov.