Merge pull request #119 from Slamdunk/cookie_prefix

Set "__Secure-" Cookie Prefix by default
psr7-sessions · Apr 10, 2020 · c22a5d2 · c22a5d2
2 parents 2f7b708 + b88fd51
commit c22a5d2
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 127 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -71,7 +71,7 @@ If you want to fine-tune more settings of `PSR7Session`, then simply use the
 use PSR7Sessions\Storageless\Http\SessionMiddleware;
 
 // a blueprint of the cookie that `PSR7Session` should use to generate
-// and read cookies:
+// and read cookies, be careful to secure it, see defaults below:
 $cookieBlueprint   = \Dflydev\FigCookies\SetCookie::create('cookie-name');
 $sessionMiddleware = new SessionMiddleware(
     $signer, // an \Lcobucci\JWT\Signer
@@ -85,16 +85,19 @@ $sessionMiddleware = new SessionMiddleware(
 );
 ```
 
-It is recommended not to use this setup
+It is recommended not to use this setup.
 
 ### Defaults
 
-By default, sessions generated via the `SessionMiddleware` use following parameters:
-
- * `"slsession"` is the name of the cookie where the session is stored
- * `"slsession"` cookie is configured as [`HttpOnly`](https://www.owasp.org/index.php/HttpOnly)
- * `"slsession"` cookie is configured as [`secure`](https://www.owasp.org/index.php/SecureFlag)
- * The `"slsession"` cookie will contain a [JWT token](http://jwt.io/)
- * The JWT token in the `"slsession"` is signed, but **unencrypted**
- * The JWT token in the `"slsession"` has an [`iat` claim](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1.6)
+By default, sessions generated via the `SessionMiddleware` factory methods use following parameters:
+
+ * `"__Secure-slsession"` is the name of the cookie where the session is stored, [`__Secure-`](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes)
+ prefix is intentional
+ * `"__Secure-slsession"` cookie is configured as [`Secure`](https://tools.ietf.org/html/rfc6265#section-4.1.2.5)
+ * `"__Secure-slsession"` cookie is configured as [`HttpOnly`](https://tools.ietf.org/html/rfc6265#section-4.1.2.6)
+ * `"__Secure-slsession"` cookie is configured as [`SameSite=Lax`](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site)
+ * `"__Secure-slsession"` cookie is configured as [`path=/`](https://github.com/psr7-sessions/storageless/pull/46)
+ * The `"__Secure-slsession"` cookie will contain a [JWT token](https://jwt.io/)
+ * The JWT token in the `"__Secure-slsession"` is signed, but **unencrypted**
+ * The JWT token in the `"__Secure-slsession"` has an [`iat` claim](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1.6)
  * The session is re-generated only after `60` seconds, and **not** at every user-agent interaction
diff --git a/src/Storageless/Http/SessionMiddleware.php b/src/Storageless/Http/SessionMiddleware.php
@@ -47,7 +47,7 @@ final class SessionMiddleware implements MiddlewareInterface
     public const ISSUED_AT_CLAIM      = 'iat';
     public const SESSION_CLAIM        = 'session-data';
     public const SESSION_ATTRIBUTE    = 'session';
-    public const DEFAULT_COOKIE       = 'slsession';
+    public const DEFAULT_COOKIE       = '__Secure-slsession';
     public const DEFAULT_REFRESH_TIME = 60;
 
     private Signer $signer;