__Host and __Secure cookie prefixes [#3360187]

Problem/Motivation

Hi there. I currently use Drupal core's and Symfony's session cookies (via #1361742: Fix cookie conflicts on shared domains) and would like to start using this module instead, but the way that cookie prefixes are handled in this module means that we wouldn't be able to use the __Host cookie prefix because this module would prefix it with S in HTTPS, resulting in S__Host, which basically defeats the reason I'd want to customize the cookie prefix.

More information on cookie prefixes:

Steps to reproduce

Set cookie prefix to __Host; log in via HTTPS; inspect cookies in dev tools; notice the cookie name starts with S__Host.

Proposed resolution

Instead of prefixing the configured prefix, add a suffix to the prefix for HTTPS, in between the configured prefix and the randomly generated part. Alternatively, given that HTTPS should arguably be the default for the web at this point in time, instead add the collision avoidance to any insecure (non-HTTPS) cookies and leave HTTPS cookie names alone.

Remaining tasks

See above.

User interface changes

Mostly just update form description.

API changes

None I think?

Data model changes

Unsure but probably none.

Issue fork persistent_login-3360187

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

1 hidden branch

3360187-prefix-prefix

changes, plain diff MR !8

Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

13 May 2023 at 13:34

Ambient.Impact created an issue. See original summary.

Comment #2

16 May 2023 at 02:19

gapple made their first commit to this issue’s fork.

Comment #3

16 May 2023 at 02:22

gapple opened merge request !8

Comment #4

gapple

he/they

English

commented 16 May 2023 at 02:26

Status:

Active

» Needs review

Let me know if this MR works for you - it should preserve the prefix on the prefix, resulting in cookie names like __Host-PL669af8b697a5f362dffd3f58410ac59e and __Host-SPL669af8b697a5f362dffd3f58410ac59e

Comment #5

ambient.impact

they/them

English

Toronto

commented 19 May 2023 at 23:09

Awesome work! Will check out once I have some time to spare.

Comment #6

ambient.impact

they/them

English

Toronto

commented 28 May 2023 at 20:33

I had a chance to try this out on a bare bones Drupal 10 site and I can confirm it works! Noticed a couple of unrelated issues so I'll open follow ups.

Comment #7

29 June 2023 at 02:14

gapple committed 7b03ed8d on 2.x

Issue #3360187: Support Secure and Host cookie prefixes

Comment #8

gapple

he/they

English

commented 29 June 2023 at 02:14

Status:

Needs review

» Fixed

Comment #9

29 June 2023 at 02:15

gapple closed merge request !8

Comment #10

13 July 2023 at 02:19

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Host and Secure cookie prefixes

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork persistent_login-3360187

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Related issues

News items

Our community

Documentation

Drupal code base

Governance of community