Disable secure cookies

Question

Disable secure cookies

Muha0644 opened this issue 4 years ago · comments

The request.response.state() has no way to make the secure flag false. I know it's kind of stupid to send cookies unencrypted, but it's useful for debugging and for non-password related data.

https://github.com/sholladay/pogo/blob/master/lib/response.ts#L92 - there is no way to change this line to false, meaning that browsers will automatically reject the cookie if not using SSL.

Seth Holladay · Answer 1 · Wed Nov 25 2020 02:07:59 GMT+0800 (China Standard Time)

Yeah, that was on purpose. I want to make it really hard for Pogo apps to have security mistakes.

I might be willing to add an option for this. The thing is, it is really easy to add SSL to your localhost these days. Is that your use case? It used to be a huge pain but now there are lots of automated tools and beginner friendly tutorials.

Muha0644 · Answer 2 · Wed Nov 25 2020 06:35:36 GMT+0800 (China Standard Time)

From what I've seen, you normally have to renew the free SSL certs every three months, and that's a real hassle. It's great that Pogo is secure by default, but it sucks that i have to use Deno's setCookie() instead of the much more elegant response.state().

The problem is also that every browser will automatically reject loading the site for self-signed certs and I don't think anyone that has access to my private network is smart enough to sniff packets, or make use of them. It's an extremely stupid idea to send authentication cookies unencrypted, but if it's just preferences or settings it won't matter much if they get leaked.

Seth Holladay · Answer 3 · Wed Nov 25 2020 11:30:46 GMT+0800 (China Standard Time)

The problem is also that every browser will automatically reject loading the site for self-signed certs

This shouldn't happen if you follow the instructions I linked to above. devcert, for example, creates a certificate authority for you (which can easily renew certificates, btw), and then it adds the CA to your operating system's trust store. So the certificate is fully trusted just like any other and no warnings should appear.

Seth Holladay · Answer 4 · Wed Jan 20 2021 14:15:54 GMT+0800 (China Standard Time)

Good news... while I was on the fence about this for a while, in the end I decided to let users override all of the default cookie options. I think I momentarily forgot about that when I wrote the above comment. 😄

You can indeed set secure: false. Here is an example of how to do it...

import pogo from 'https://deno.land/x/pogo/main.ts';

const server = pogo.server({ port : 3000 });

server.router.get('/', (request, h) => {
    return h.response('nom nom').state('somename', {
        secure : false,
        value  : 'somevalue'
    });
});

server.start();

Let me know if you have any further questions or problems related to this.