Skip to content

Add __Host- prefix when secure flag is enabled

This sets the __Host- prefix to the Pleroma session cookie. A browser will only accept a cookie with this prefix if it fulfills the following requirements:

  • Secure attributes needs to be set
  • URI scheme must be considered secure by browser
  • Set-Cookie does not contain a Domain attribute. The cookie is only sent to the host which sets it.
  • Path needs to be set to /. The cookie is sent at every request.

Browsers with no support (IE and Edge) will just ignore the prefix and treat it as part of the name.

Example scenario

A user visits the website for the first time over HTTP and an attacker intercepts the connection and plants a session cookie. Pleroma now thinks, that the user already has the cookie and uses the attacker controlled session. The __Host- prefix prevents this attack, because the session cookie can now only be set over a secure connection.

Merge request reports