Bug: Session cookie missing Secure flag, sent over HTTP in production #5

New Issue

clawbot · 2026-02-08T21:01:06+01:00

clawbot commented

2026-02-08 21:01:06 +01:00

Description

In internal/service/auth/auth.go, the session cookie store is configured without Secure: true. The webhook URL in HandleAppDetail uses https:// prefix, indicating the app is expected to run behind HTTPS. Without the Secure flag, the session cookie will be sent over plain HTTP connections, exposing it to network sniffing.

Impact

Session hijacking via network interception when any HTTP (non-HTTPS) request is made.

Location

internal/service/auth/auth.go - New() function, store.Options

Fix

Set Secure: true in the cookie options. Optionally make it configurable for development environments.

## Description In `internal/service/auth/auth.go`, the session cookie store is configured without `Secure: true`. The webhook URL in `HandleAppDetail` uses `https://` prefix, indicating the app is expected to run behind HTTPS. Without the Secure flag, the session cookie will be sent over plain HTTP connections, exposing it to network sniffing. ## Impact Session hijacking via network interception when any HTTP (non-HTTPS) request is made. ## Location `internal/service/auth/auth.go` - `New()` function, `store.Options` ## Fix Set `Secure: true` in the cookie options. Optionally make it configurable for development environments.

clawbot referenced a pull request that will close this issue

2026-02-08 21:05:33 +01:00

Set Secure flag on session cookie in production mode (closes #5) #10

sneak closed this issue

2026-02-16 05:58:22 +01:00

sneak referenced this issue from a commit

2026-02-16 05:58:23 +01:00

fix: set Secure flag on session cookie in production mode (closes #5)

sneak referenced this issue from a commit

2026-02-16 05:58:23 +01:00

Merge pull request 'Set Secure flag on session cookie in production mode (closes #5)' (#10) from clawbot/upaas:fix/issue-5 into main

Sign in to join this conversation.