httpOnly is false when HTTPS
Closed this issue · 2 comments
realorbit commented
Current behaviour is that HttpOnly
is only true, if request is not encrypted, i.e. HTTP. Issue with wich is that cookie is set and removed from Google Chrome, if HttpOnly
is false. Meaning, whenever cookie is requested by HTTPS, the cookie is not visible to client.
Solution is to always set HttpOnly
to true. This should also serve as a security improvement.
nodebb-plugin-session-sharing/library.js
Line 599 in 877b391
julianlam commented
This is weird, I wonder why that is. It almost looks like my understanding of httpOnly
is incorrect... like I thought it stood for the opposite of secure
.
Anyway, httpOnly
should be always enabled.
julianlam commented
v5.1.7