Cookies: stricter settings and conflicts with other apps about sysreptor HOT 4 CLOSED

Hi, we already set some of the mentioned cookie flags and some flags we deliberately do not set.

• SameSite: Strict: already set for sessionid and csrftoken
• HttpOnly: Set for sessionid. Not set for csrftoken because this cookie needs to be readable by JS. CSRF tokens do not require the HttpOnly flag to protect against CSRF attacks.
• Secure: Currently not set. We will add them. Thanks for noticing.
• Path: SysReptor does not support running on a subpath, so we do not set this flag.
• Domain: This flag is deliberately unset such that browsers send this cookie only to the domain that set it. Cookies are only valid for a single SysReptor instance. There is no need to send cookies to other domains.
• Expires: This flag is deliberately unset to use session cookies that are discarded when the browser is closed. The backend enforces session timeout of 14 hours.

from sysreptor.

Thank you for your very swift feedback! Those are very clear statement.

I'm happy that I could at least contribute the suggestion of the Secure flag. For the others, I understand why you cannot / will not implement them.

And thank you for noting that SysReptor does not support running on sub-paths. That's important for us to know! All the more reason to give it its own DNS entry and vhost.

from sysreptor.

Reopening for tracking the resolution.

For Secure attribute, we must check if the installation runs via https, because this might not be the case for local installations.

from sysreptor.

Implemented in https://github.com/Syslifters/sysreptor/releases/tag/2024.49

We introduced the SECURE_SSL_REDIRECT setting to configure that SysReptor should only be accessible via https. All http requests will be redirected to https and Secure flags will be set for cookies. Reverse proxies should set the HTTP header X-Forwarded-Proto: https to signal that incoming requests were TLS-protected https requests.

from sysreptor.