Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only pass session id cookie to api #65

Open
EarthenSky opened this issue Aug 16, 2024 · 7 comments
Open

Only pass session id cookie to api #65

EarthenSky opened this issue Aug 16, 2024 · 7 comments

Comments

@EarthenSky
Copy link
Collaborator

Note that if a cookie's SameSite attribute is set to Strict or Lax, then the cookie will not be sent cross-site, even if credentials is set to include.

We should look into only sending the session id cookie to the api endpoint.

Since our session tokens are reasonably sized (& intended to be private), it's a good idea to not go throwing them at every page & resource GET. There's no security or performance issue of course (latency is way slower than several bytes of data), but it's a good idea to only do what's necessary.

Unless of course, we have some need in the future for non-api pages to serve restricted content? (#54)
@micahdbak
Copy link
Collaborator

FYI I'm pretty sure this is only something that can be configured from the frrontend

@micahdbak
Copy link
Collaborator

but if it can be enforced by the backend somehow that would be kewl

@EarthenSky
Copy link
Collaborator Author

EarthenSky commented Aug 16, 2024
edited
Loading

Cookies are intended to be issued by servers. They're a method by which a server can store data on the client. Local storage is how a client can store data on the client & not automatically sent it to the server (🔥). It's true that clients can create cookies, but it's not a great idea unless it's intended to communicate with the server somehow.

Give a quick scan through the mozzilla page for it

You'll see in auth/login the cookie is set by the server. This is where we'd want to look into adding attributes to it.

Of course, maybe it's not even worth it as mentioned above.

@micahdbak
Copy link
Collaborator

Right yes, but what I mean is that the server issues the auth cookie, but once it's in the client's browser, the server can't really force the client to not send the cookie for GET requests, but do send the cookie for other requests - or at least not that I know of.

I think to prevent the client sending certain cookies, or any cookies for certain requests, this is something that must be done from inside the Fetch API

@EarthenSky
Copy link
Collaborator Author

EarthenSky commented Aug 16, 2024
edited
Loading

at least not that I know of

See the same site attribute I linked to at the beginning of this PR :)

Though actually, it seems that wasn't the exact attribute we'd care about, instead the path attribute is the one we'd care about

@micahdbak
Copy link
Collaborator

Ahh, yeah, I've read about same site before and was like, this isn't gonna work for this case 🤣

Restricting to the path would definitely fix this, and that's something the backend can do

@micahdbak
Copy link
Collaborator

Nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EarthenSky @micahdbak