-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AuthCookie for Login with SameSite cookie option #129
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewing from my phone, but issue seems to be method name youre using.
(Feel free to ingore the other feedback if you want, happy to handle myself when I'm implementing docs/tests)
97b3f38
to
6565e17
Compare
@alexookah I've rebased this on the current |
6565e17
to
2f302cb
Compare
I've begun implementing a more scalable UX that should provide a path forward on this in #141 . So far, settings have been broken up into different screens, so we can scale horizontally instead of vertically: Once I clean up the provider settings and conditional logic, we should be able to rebase this paying closer attention to what Login/ Cookie settings should be available on a provider level versus globally. |
Co-authored-by: Dovid Levine <justlevine@gmail.com>
Co-authored-by: Dovid Levine <justlevine@gmail.com>
…e for readability.
1eed7c4
to
0905a24
Compare
There's still more work to be done on the admin refactor (e.g. stop saving state I think the next step for this PR (beyond the remaining unresolved comments) is to either see if we can more sensibly organize the order of the |
Refactored cookie settings to their own group in 7024674 |
@justlevine New UI looks awesome! |
Integration (WPUnit) tests are the big one. Everything else I believe can be handled iteratively after this is merged/released. I also need to fix the setting value denouncing before triggering a release, but that's outside the scope of this PR. |
What
This PR enhances the loginCookie functionality by introducing a new AuthCookie class. This class adds options for configuring the cookie's expiration and SameSite attribute. This should resolve this issue.
Why
Currently, the authentication cookie being set is session-only. This means that when a user closes their browser, they need to re-authenticate upon reopening. This change allows for persistent authentication sessions, reducing the need for frequent logins.
How
This PR introduces the AuthCookie class which replaces the default behavior for setting authentication cookies. The AuthCookie class:
Provides the option to set a custom expiration time for the authentication cookie.
Supports the SameSite attribute for cookies, which enhances security by controlling how cookies are sent with cross-site requests.
Allows users to set the cookie as persistent if they opt for the "remember me" functionality, which is currently not supported by default.
Testing Instructions
Login using a Login provider. Verify cookies and check that SameSite is set to None.
Additional Info
Things to improve: Add options in admin for samesite configuration & domain cookie.
Checklist: