Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set the Secure flag on Popcode's session token cookie #1587

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/clients/firebase.js
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,10 @@ export function setSessionUid() {
Cookies.set(
VALID_SESSION_UID_COOKIE,
uid,
{expires: new Date(Date.now() + SESSION_TTL_MS)},
{
expires: new Date(Date.now() + SESSION_TTL_MS),
secure: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andy11 this seems like a reasonable change, but unfortunately it does break behavior in development, where people will typically not be running Popcode over https. So, we should make this behavior configurable, by:

  • Introducing an environment variable e.g. REQUIRE_SECURE_SESSION_COOKIE
  • Passing it through to the client-side code via Webpack (with a default of false)
  • Adding it with value true in our Travis configuration (I will do this once the code is ready)
  • Exposing it as a boolean via the config module

The specific behavior is retaining the user session on refresh—you’ll find that right now, if you log in and then refresh the page with this branch checked out, you’ll be logged back out.

},
);
}
}