Handling of 'Secure' prefixes - __Secure- and __Host- #36
Comments
siktec-lab
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
siktec-lab
changed the title
I might be buggin, but I can't see the use of the
PREFIX_SECUREandPREFIX_HOSTconstants in theCookieclass.As I understand it, Set-Cookie that are prefixed with
__Secure-and__Host-have special meanings and should be processed differently.I would expect to see these prefixes appended to the cookie name when the cookie is being set in
buildCookieHeaderOr removed when the cookie is being parsed in
parse(while setting a special flag or something to indicate that the cookie is prefixed and with what).I know that some of the implementations out there don't handle these prefixes correctly, but they should be implemented as they are part of the standard, and the only way to distinguish between a Secure only (HTTPS) cookie and a Secure only + host (HTTPS + Path).
Maybe I'm missing something, I would appreciate it if you could clarify this for me.
I used your code as a reference for a cookie class in my own project - I noticed that I didn't handle these prefixes either, so I implemented them and I thought I'd ask you about it.
Thanks for your time.
The text was updated successfully, but these errors were encountered: