You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently realized that IXP-Manager by default does not seem to set the secure bit on session cookies.
After digging around I found it is possible to enable this by setting SESSION_SECURE_COOKIE but I didn't find this mentioned anywhere in the docs or example .env files.
What do you think about setting this setting by default - or at least mentioned in the .env-files?
The text was updated successfully, but these errors were encountered:
so just for anyone else reading this, the functionality here is:
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
I'm definitely happy to document it. I think I'm also happy to default it in the next release - the internet landscape is moving to https only and we should be along for the ride.
Just as an aside - the cookies are encrypted by default already. This is probably why Laravel have not defaulted this and with their massive user base, that kind of change to the defaults in the framework would probably have a lot of fallout. E.g. many Laravel apps might just run on http without a security need for https (marketing sites).
Hi,
I recently realized that IXP-Manager by default does not seem to set the
secure
bit on session cookies.After digging around I found it is possible to enable this by setting
SESSION_SECURE_COOKIE
but I didn't find this mentioned anywhere in the docs or example.env
files.What do you think about setting this setting by default - or at least mentioned in the
.env
-files?The text was updated successfully, but these errors were encountered: