To logout of a basic auth login the browser often needs to be quit entirely. This means there is no way for the server to log out the user. I believe basic auth also has more overhead (assuming your cookie size isn’t massive), but I might be wrong about that. HTTP basic auth also sends … Read more
configure it like this: app.use(express.session({ secret: conf.secret, cookie: { domain:’.yourdomain.com’}, store: new MongoStore(conf.sessiondb) }));
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826 or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx <rewrite> <outboundRules> <rule name=”Add HttpOnly” preCondition=”No HttpOnly”> <match serverVariable=”RESPONSE_Set_Cookie” pattern=”.*” negate=”false” /> <action type=”Rewrite” value=”{R:0}; HttpOnly” /> <conditions> </conditions> </rule> <preConditions> <preCondition name=”No HttpOnly”> <add input=”{RESPONSE_Set_Cookie}” pattern=”.” /> <add input=”{RESPONSE_Set_Cookie}” pattern=”; HttpOnly” negate=”true” /> </preCondition> … Read more
I know it´s a little late for you, but this answer is for all who have the same problem. With HTML5 you can use web storage. (Just an idea! – not tested!) You could define a cookie (via javascript on client) and set the “secure”-attribute. In this case, the cookie will only be sent to … Read more
As of Chrome v107 (Nov 2022) I had a similar issue, spent a few hours digging, and what I found is that the only solution for Chrome is to make your front-end connection secure, ie https (using a proxy for instance): Link An alternative solution is to use Firefox and set: about:config > network.cookie.sameSite.noneRequiresSecure=false. This … Read more
You will not refresh after but just before. When executing the login action first do: HttpSession session = request.getSession(false); if (session!=null && !session.isNew()) { session.invalidate(); } Then do: HttpSession session = request.getSession(true); // create the session // do the login (store the user in the session, or whatever) FYI what you are solving with this … Read more
You can set either expires or maxAge on the individual cookie belonging to the current user: // This user should log in again after restarting the browser req.session.cookie.expires = false; // This user won’t have to log in for a year req.session.cookie.maxAge = 365 * 24 * 60 * 60 * 1000; See connect session … Read more
The secret cookie store was recently removed in Rails 4. See Changelog. In order to get your app working again, replace the line config.session_store :encrypted_cookie_store with config.session_store :cookie_store in config/initializers/session_store.rb. The store will be automatically encrypted. If unsure. Create a new Rails 4 app (rails new app_name –pre) and have a look at the initializers. … Read more