Use different cookie names on HTTPS #368
No reviewers
Labels
No labels
Component: User interface
Component: Wymeditor
Help wanted
Level: Difficult
Level: Easy
Level: Moderate
Pagetype: Festival
Pagetype: Mailinglist
Pagetype: Peer reviewed article
Pagetype: Text
Privacy GDPR AVG
status: has conflicts
Status: Needs changes
Status: Needs discussion
Status: Needs review
Status: Ready to merge
Status: Waiting for response
Type: Bug
Type: Enhancement
Type: Question
Usecase: De Stadsbron
Usecase: Koppelting
Usecase: MeetjeStad
Value: Coders
Value: Security
Value: Users
Value: Visitors
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
harmen/hypha!368
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "https-cookie-split"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
For HTTPS requests, cookies are marked as "secure", meaning they can no
longer be sent over HTTP. However, this means that that cookie name is
effectively unavailable (broken) for HTTP requests on the same domain.
In practice, this means in a dual HTTP/HTTPS setup, sessions would stop
working on HTTP once a session cookie was set up on HTTPS.
To prevent this, make sure that the cookie names are different between
HTTP and HTTPS. This effectively means that HTTP and HTTPS have
independent sessions running, which is probably what would be expected
(given they can't share the same session for security reasons).