feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
author: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
commit: b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree: 30a2a8f278684f006bbb846cbdd560c9080bcfaf /pkg/web/cookie.go
parent: e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
1 files changed, 0 insertions, 3 deletions
diff --git a/pkg/web/cookie.go b/pkg/web/cookie.go
index c60121f..fd81c1d 100644
--- a/pkg/web/cookie.go
+++ b/pkg/web/cookie.go
@@ -26,8 +26,6 @@ func NewCookie(name, value string, options ...x.Option[*http.Cookie]) *http.Cook
 		cookie.WithPath("/"),
 		cookie.WithHttpOnly(true),
 		cookie.WithSecure(true),
-		cookie.WithSameSite(http.SameSiteDefaultMode),
-		cookie.WithDomain(env.Fetch("HOST", "localhost")),
 	)...)
 }
 
@@ -51,7 +49,6 @@ func withSignedValue(value string) x.Option[*http.Cookie] {
 func ExpireCookie(w http.ResponseWriter, name string) {
 	cookie.Expire(w, name,
 		cookie.WithPath("/"),
-		cookie.WithDomain(env.Fetch("HOST", "localhost")),
 		cookie.WithHttpOnly(true),
 		cookie.WithSecure(true),
 	)
author	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
commit	b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree	30a2a8f278684f006bbb846cbdd560c9080bcfaf /pkg/web/cookie.go
parent	e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)