Unable to use httpOnly attribute for authCookie #851
Labels
bug
A bug that needs to be resolved
help-needed
Action needed: The help of the community would be appreciated
p3
Minor issue
provider-local
An issue with the local provider
Environment
Darwin
v22.6.0
3.12.3
3.12.0
2.9.7
yarn@1.22.22
-
ssr
,app
,css
,runtimeConfig
,modules
,apiParty
,auth
,plugins
,components
,build
,devServer
,compatibilityDate
nuxt-api-party@2.0.8
,@sidebase/nuxt-auth@0.8.2
-
Reproduction
Turn on
httpOnlyCookieAttribute
totrue
innuxt.config.js
. Try to login and refresh the page.Describe the bug
Hello,
I opened a pull request yesterday (that has been merged).
The issue, like I said in the PR, is that the cookie is not saved after logging in if we set httpOnlyCookieAttribute to
true
(this is enabling httpOnly attribute for the cookie, preventing JS access and thus XSS attacks). This is caused by the way the cookie is saved. Indeed, the cookie is saved byuseCookie
andwatch
method inuseAuthState
file composable (see here), and this is client-side.To fix the issue (what I am trying to work on), we have to change the way of defining the cookie, from client-side to server-side. With this, the cookie will be created, saved, modified or deleted on server-side, thus we will be able to use httpOnly attribute for the auth cookie, providing us a better app security.
I would really appreciate some help on this!
Thanks you.
Additional context
No response
Logs
No response
The text was updated successfully, but these errors were encountered: