We now use server-side set-cookie headers for auth-tokens. This allows us to mark the cookies as httpOnly, which prevents a class of XSS attacks.

  • In login, register, and change-password, we set the cookie.
  • When loading a page, we read the cookie and use the auth-token to sign in.
  • For API calls, we should get the auth-token from the cookie instead of expecting it to be in the arguments.

Status

Phase I

ANACREON
[x] Convert login, logoff, register, and change-password.
[ ] Test

MINISTRY
[x] Convert login, logoff, register, and change-password.
[x] Test

MULTIVERSE
[x] Convert login, logoff, register, and change-password.
[x] Test
[ ] Test Transcendence client

TRANSCENDENCE
[x] Convert login, logoff, register, and change-password.
[x] Test

Phase II

ANACREON
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.

MINISTRY
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.

MULTIVERSE
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.

TRANSCENDENCE
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.

Phase III

DATAMANCER
[ ] Convert login, logoff, register, and change-password.
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.

LUMINOUS
[ ] Convert login, logoff, register, and change-password.
[ ] Convert APIs to (optionally) use cookies.
[ ] Convert JS API calls to always use cookies.
[ ] Implement "remember me" checkbox.

See Also