Rewrite cookie generation to use Web.Cookie and generate spec conforming cookie headers #47
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, servant-auth-cookie generates invalid cookies which fail on some browsers. The error is in the rendering of the previously available
acsCookieFlags
field. It resulted in cookies which look likename=value;HttpOnly=;Secure=;SameSite
. This failed to set a cookie for me on Chrome 64.0.3282.186 on OS X. Firefox and Safari seem to be more lenient in their cookie parsing and parsed the cookie successfully. In any case, if I read the spec correctly, the above should bename=value;HttpOnly;Secure;SameSite
(not the missing equals signs).As this package already leverages Web.Cookie from the cookie package, I rewrote the rendering code to use the provided functions, which results in spec conforming cookies. This required the addition of specific fields for the
HttpOnly
,Secure
andSameSite
options inAuthCookieSettings
type. I have added the fields in the default instance, so the tests continue to run. I am not sure what to do with the version number though - I will leave it up to you, as this might break user code if they were using theacsCookieFlags
field.