make cookie a bit more secure - fixes #445
We can't make the cookie `HttpOnly` because we're setting it from Javascript, but I'm not sure it's worth the trouble to redesign that: `JSON.parse(localStorage.account).token` gives you the token anyway, hiding the cookie from JS won't offer much protection. At least we can mark is `Secure` (meaning, only send it over HTTPS) and _delete it on logout_ (it wasn't!)
This commit is contained in:
parent
d1f0fc6d5d
commit
6826e43ad7
@ -43,6 +43,7 @@ export async function signout() {
|
||||
waiting();
|
||||
miLocalStorage.removeItem('account');
|
||||
await removeAccount($i.id);
|
||||
document.cookie = `token=; path=/; max-age=0${ location.protocol === 'https:' ? '; Secure' : ''}`;
|
||||
const accounts = await getAccounts();
|
||||
|
||||
//#region Remove service worker registration
|
||||
@ -200,7 +201,7 @@ export async function login(token: Account['token'], redirect?: string) {
|
||||
throw reason;
|
||||
});
|
||||
miLocalStorage.setItem('account', JSON.stringify(me));
|
||||
document.cookie = `token=${token}; path=/; max-age=31536000`; // bull dashboardの認証とかで使う
|
||||
document.cookie = `token=${token}; path=/; max-age=31536000${ location.protocol === 'https:' ? '; Secure' : ''}`; // bull dashboardの認証とかで使う
|
||||
await addAccount(me.id, token);
|
||||
|
||||
if (redirect) {
|
||||
|
Loading…
Reference in New Issue
Block a user