This sets the __Host-
prefix to the Pleroma session cookie. A browser will only accept a cookie with this prefix if it fulfills the following requirements:
-
Secure
attributes needs to be set - URI scheme must be considered secure by browser
-
Set-Cookie
does not contain aDomain
attribute. The cookie is only sent to the host which sets it. -
Path
needs to be set to/
. The cookie is sent at every request.
Browsers with no support (IE and Edge) will just ignore the prefix and treat it as part of the name.
Example scenario
A user visits the website for the first time over HTTP and an attacker intercepts the connection and plants a session cookie. Pleroma now thinks, that the user already has the cookie and uses the attacker controlled session. The __Host-
prefix prevents this attack, because the session cookie can now only be set over a secure connection.