Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide an option to set Form based auth encrypted cookie as HttpOnly #27853

Merged
merged 1 commit into from Sep 12, 2022
Merged

Provide an option to set Form based auth encrypted cookie as HttpOnly #27853

merged 1 commit into from Sep 12, 2022

Conversation

michalvavrik
Copy link
Contributor

fixes: #27609

Provide convenient way to make the cookie that is used to store the persistent session HttpOnly.

@michalvavrik michalvavrik force-pushed the feature/form-based-auth-http-only-cookie branch from 9d083b2 to c5a921d Compare September 10, 2022 21:44
@michalvavrik
Copy link
Contributor Author

cc @sberyozkin

@sberyozkin
Copy link
Member

Hi @michalvavrik Thanks for the PR, looks fine, but I wonder, should we even introduce a property and instead just set HttpOnly by default ? We do it in quarkus-oidc too, there's no reason to allow the client side scripts access this cookie, so just adding this attribute by default works IMHO

@michalvavrik
Copy link
Contributor Author

@sberyozkin doesn't client need to access this cookie in order to make it expired (aka "delete it") as advised here for logout #27389 (comment) ? I can prepare reproduce to find out, but if you know this already, you can tell me :-)

@sberyozkin
Copy link
Member

@michalvavrik I forgot about, good point. Right, so ideally the logout would be handled at the server, by deleting the same cookie, but with form based authentication I suppose we should support the client side removal of this cookie too

@sberyozkin sberyozkin self-requested a review September 12, 2022 13:56
@sberyozkin sberyozkin merged commit 0f9413c into quarkusio:main Sep 12, 2022
@quarkus-bot quarkus-bot bot added this to the 2.13 - main milestone Sep 12, 2022
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Sep 12, 2022
@michalvavrik michalvavrik deleted the feature/form-based-auth-http-only-cookie branch September 12, 2022 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

Assignees
No one assigned
Labels
area/vertx kind/enhancement New feature or request
Projects
None yet
Milestone
2.13.0.CR1
Development

Successfully merging this pull request may close these issues.

Extend form auth cookie configuration
2 participants
@michalvavrik @sberyozkin