Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hard to set cookie secure = true by default #320

Closed
fengmk2 opened this issue Jul 28, 2014 · 9 comments
Closed

Hard to set cookie secure = true by default #320

fengmk2 opened this issue Jul 28, 2014 · 9 comments
Labels

Comments

@fengmk2
Copy link
Member

fengmk2 commented Jul 28, 2014

According https://github.com/expressjs/cookies/blob/master/lib/cookies.js#L54

, secure = req.connection.encrypted

cookies module detect secure by req.connection.encrypted.
And mostly koa app will running behind a reverse proxy(nginx) and detect https from "X-Forwarded-Proto" header.

Now I must set every cookie with secure = true options.

this.cookies.set('c1', v1, {secure: true});
// ...
this.cookies.set('c2', v2, {secure: true});

Is there a easy way to make secure cookie by default?

this.cookies.set('c1', v1);
// ...
this.cookies.set('c2', v2);
@jonathanong
Copy link
Member

waiting on #281 and cookies v2

cc @dougwilson

@dougwilson
Copy link
Contributor

I'm on it :) Though I think the question could be solved by changing the referenced line 54 to

secure = req.protocol === 'https' || req.connection.encrypted

for the time being. It would also mean that people wouldn't need to copy their proxy settings over to Cookies, either.

@dougwilson
Copy link
Contributor

@fengmk2 try the cookies module version 0.5.0 to see if it works for you.

@dead-horse
Copy link
Member

don't run the code, but seems like req in cookies is the original http request in node, but the protocol getter is in koa's request object.

@fengmk2
Copy link
Member Author

fengmk2 commented Jul 28, 2014

@jonathanong We should pass request and response to Cookies instead of req and res https://github.com/koajs/koa/blob/master/lib/application.js#L145

@fengmk2
Copy link
Member Author

fengmk2 commented Jul 28, 2014

@jonathanong but not sure this can work for Cookies module... Because req and res on http module are real different from request and response on koa.

@jonathanong
Copy link
Member

yeah. ideally anything we need is configurable. make suggestions in the cookies repo :)

@fengmk2 fengmk2 closed this as completed Jul 29, 2014
@dead-horse
Copy link
Member

should we keep this issue open before cookies refactor?

@fengmk2
Copy link
Member Author

fengmk2 commented Jul 29, 2014

I found out hard to detect https or http inside my app environment, it deps nginx config, and nginx config out of our controller.
So I change the solution, to define ctx.setCookie(name, value, opts) instead using ctx.cookies.set.
Then secure or not is deps on app's config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants