We now use server-side set-cookie headers for auth-tokens. This allows us to mark the cookies as httpOnly, which prevents a class of XSS attacks.
- In login, register, and change-password, we set the cookie.
- When loading a page, we read the cookie and use the auth-token to sign in.
- For API calls, we should get the auth-token from the cookie instead of expecting it to be in the arguments.
Status
Phase I
ANACREON
[x] Convert login, logoff, register, and change-password.
[ ] Test
MINISTRY
[x] Convert login, logoff, register, and change-password.
[x] Test
MULTIVERSE
[x] Convert login, logoff, register, and change-password.
[x] Test
[ ] Test Transcendence client
TRANSCENDENCE
[x] Convert login, logoff, register, and change-password.
[x] Test
Phase II
ANACREON
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.
MINISTRY
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
MULTIVERSE
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.
TRANSCENDENCE
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.
Phase III
DATAMANCER
[ ] Convert login, logoff, register, and change-password.
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.
LUMINOUS
[ ] Convert login, logoff, register, and change-password.
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.
See Also
Resolve
Archive
Reopen
Create
Edit
Save
Attach File
Cancel Edit