Cookie domain attribute should optionally be disabled #10
Labels
feature-request
New feature or request
Milestone
Comments
jwwheeleriv
added a commit
to jwwheeleriv/cognito-at-edge
that referenced
this issue
Sep 15, 2021
* add disable cookie domain attribute as optional
- in case app needs to exclude domain attribute
which is more restrictive (ie. not allow subdomains)
- defaults to false to maintain backwards compatibility
(ie. include domain if false or not specified).
* add (Optional) to the disableCookieDomain param documentation
jwwheeleriv
changed the title
jeandek
pushed a commit
that referenced
this issue
Oct 4, 2021
* add disable cookie domain attribute as optional
- in case app needs to exclude domain attribute
which is more restrictive (ie. not allow subdomains)
- defaults to false to maintain backwards compatibility
(ie. include domain if false or not specified).
* add (Optional) to the disableCookieDomain param documentation
|
Thanks for the PR Jay. I'll publish the new version of the package to NPM by the end of the week. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Cognito-At-Edge by default sets all cookies with the domain attribute. This attribute really should be optional as it leads to issues where you may not want to share cookies across subdomains and could potentially lead to WAF restrictions if a WAF restricts the size of cookie headers.
Why is this needed:
The Domain attribute specifies which hosts are allowed to receive the cookie. If unspecified, it defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
The text was updated successfully, but these errors were encountered: