In this lesson, we'll will learn how to set the secure
flag on our session id cookie to ensure it is only transmitted over https connections. This will effectively mitigate the Session Hijacking vulnerability we introduced in the previous lesson.
Instructor: [0:00] We've set up our site to serve traffic over https, and to redirect from http to https. The problem now is, we do this, we see that we're still submitting the cookie over http. The reason this is is that cookies are set by default to send over both https and http. Luckily, there's a property of cookies called secure. If we pass secure when we set our cookie, it will only send over https.
[0:27] To do this in Express, we go down to our cookie settings for our session cookie and enter in secure true. Hitting save will cause our server to reload, and we'll go ahead and, in our browser, clear our cookies completely, and go back to the network tab. Now, refresh the page. We can see that the response from the server, when it sets the cookie, now includes secure as part of the site cookie command.
[1:06] Regardless of how you accomplish this, whether using Express or any other framework, the important bit is that the site cookie header must have the secure property set on it. If we now once again enter in a http URL, we'll see that the http request no longer passes the cookie in the request headers. We now have a site that will redirect from http to https, but will no longer send cookies on http.
Member comments are a way for members to communicate, interact, and ask questions about a lesson.
The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io
Be on-Topic
Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.
Avoid meta-discussion
Code Problems?
Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context
Details and Context
Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!