Skip to content

Add cookieMaxAge and secureCookies options#1612

Merged
MadeByMike merged 8 commits intomasterfrom
session-security
Sep 11, 2019
Merged

Add cookieMaxAge and secureCookies options#1612
MadeByMike merged 8 commits intomasterfrom
session-security

Conversation

@MadeByMike
Copy link
Contributor

@MadeByMike MadeByMike commented Sep 11, 2019
edited
Loading

Resolves #1596 and #1595

I followed the pattern of adding options to the keystone object. Not sure if I should have grouped these under cookies or something, we're getting quite a few config options here and I'm not sure these should be on the Keystone constructor?

We could probably save the above for a more general discussion in future.

For both options I've set defaults for dev and production - Can you check these are right?

Can I also get some help on how best to test this? Commits welcome.

@changeset-bot
Copy link

changeset-bot bot commented Sep 11, 2019
edited
Loading

🦋 Changeset is good to go

Latest commit: 69a3196

We got this.

Not sure what this means? Click here to learn what changesets are.

@jesstelford
Copy link
Contributor

jesstelford commented Sep 11, 2019

Yeah, it's starting to get a bit crowded there.

I'm thinking perhaps we have a session config option which is an object that contains some things.

One thing I realised about #1596 is the maxAge doesn't actually invalidate the session. So it gives a false sense of security. Really we need to make sure the sessionStore is the one given that setting, but since we don't control that, we can't. Chicken & Egg.

jesstelford
jesstelford reviewed Sep 11, 2019
View reviewed changes
jesstelford
jesstelford reviewed Sep 11, 2019
View reviewed changes
@timleslie
Copy link
Contributor

timleslie commented Sep 11, 2019

I'm thinking perhaps we have a session config option which is an object that contains some things.

Yeah, I'm a big fan of that kind of grouping. Doesn't have to be on this PR, but something to consider for the future.

timleslie
timleslie approved these changes Sep 11, 2019
View reviewed changes
Copy link
Contributor

@timleslie timleslie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@MadeByMike MadeByMike merged commit 0a627ef into master Sep 11, 2019
@MadeByMike MadeByMike deleted the session-security branch September 11, 2019 01:49
@MadeByMike MadeByMike mentioned this pull request Sep 11, 2019
Closed
@molomby molomby mentioned this pull request May 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jesstelford jesstelford Awaiting requested review from jesstelford

@emmatown emmatown Awaiting requested review from emmatown

1 more reviewer

@timleslie timleslie timleslie approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Configurable cookie settings for keystone.sid

3 participants

@MadeByMike @jesstelford @timleslie