julianlam/nodebb-plugin-session-sharing

httpOnly is false when HTTPS

Closed this issue · 2 comments

realorbit commented

Current behaviour is that HttpOnly is only true, if request is not encrypted, i.e. HTTP. Issue with wich is that cookie is set and removed from Google Chrome, if HttpOnly is false. Meaning, whenever cookie is requested by HTTPS, the cookie is not visible to client.

Solution is to always set HttpOnly to true. This should also serve as a security improvement.

nodebb-plugin-session-sharing/library.js

Line 599 in 877b391

httpOnly: !req.secure,

julianlam commented

This is weird, I wonder why that is. It almost looks like my understanding of httpOnly is incorrect... like I thought it stood for the opposite of secure.

Anyway, httpOnly should be always enabled.

  • 👍1
julianlam commented

v5.1.7