Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set the Secure flag on Popcode's session token cookie #1587

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Set the Secure flag on Popcode's session token cookie #1587

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c1488a7
add secure: true
Oct 9, 2018
4463367
fix indentation to un-break CI tests
Oct 9, 2018
d7b87e6
fix: error Missing trailing comma
Oct 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/clients/firebase.js
View file
Open in desktop
Expand Up @@ -262,7 +262,10 @@ export function setSessionUid() {
Cookies.set(
VALID_SESSION_UID_COOKIE,
uid,
{expires: new Date(Date.now() + SESSION_TTL_MS)},
{
expires: new Date(Date.now() + SESSION_TTL_MS),
secure: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andy11 this seems like a reasonable change, but unfortunately it does break behavior in development, where people will typically not be running Popcode over https. So, we should make this behavior configurable, by:

  • Introducing an environment variable e.g. REQUIRE_SECURE_SESSION_COOKIE
  • Passing it through to the client-side code via Webpack (with a default of false)
  • Adding it with value true in our Travis configuration (I will do this once the code is ready)
  • Exposing it as a boolean via the config module

The specific behavior is retaining the user session on refresh—you’ll find that right now, if you log in and then refresh the page with this branch checked out, you’ll be logged back out.

},
);
}
}