Secure cookie flag should always be added to the Optimize Auth cookie for https connections

XMLWordPrintable

    • Type: Task
    • Resolution: Done
    • Priority: L3 - Default
    • 3.1.0
    • Affects Version/s: None
    • Component/s: backend
    • None
    • Not defined

      Context:
      With OPT-1929, some CRSF protection has been implemented. However, the secure flag of the Optimize auth cookie is only added if the http endpoint is disabled. This is very counterintuitive. We should also set the secure flag for the https connection.

      AT:

      • the is cookie secure flag is always set for the HTTPS Optimize endpoint
      • all the cookie flags that are tested for HTTP and HTTPS endpoint
      • the documentation is adjusted that it still recommends disabling HTTP but does not mention the cookie part any longer.

      Hint:

      • currently we don't test that the cookie flags are set for the https endpoint
      • we should not set the cookie filter using the jetty filter feature but rather do it with the CookiePatternRule similar to how we've done it with the HeaderPatternRule in OPT-3248. So some clean up is necessary here.

        This is the controller panel for Smart Panels app

              Assignee:
              Unassigned
              Reporter:
              Johannes
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: