V6 cookies on http #1258
Comments
|
Actually, I think the cookie change was because of all the domain name fuckery on the live instance, so maybe it would be best to have a server option for cross-site cookies. |
|
Can't this be solved by reading the host of the request? |
|
You mean to see if it starts with https? Sure but the question is more about what is the best solution. Right now I'm checking if the *http.Request has a non-nil TLS attribute, which should work but I haven't been able to test it with https yet, but should we enable cross-site cookies if they're not needed? Does it matter? |
|
TLS will not be set, if you are behind a TLS terminating reverse proxy. Honestly, I am not too knowledgeable about cookies. You and @Chiiruno can decide this one as there are no cookies in v7 and I am focusing on that. |
Oh. Websites are complicated.
Oh. It doesn't matter too much, then, as long as it works. |
With #1252 cookies are now strictly sent over https. Cookies are necessary for logging in, so it's a little questionable to force people hosting a meguca instance to use https but I don't actually care about that, more important is that the default address is http://127.0.0.1 so I can't log in to test account related things which is a pain.
Checking to see which protocol is being used before setting the cookie attributes seems like a good idea. What do you think?
The text was updated successfully, but these errors were encountered: