conduit-rust / conduit-cookie Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

• Lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update cookie crate to 0.16.1
• Update Swatinem/rust-cache action to v2.2.0

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update Swatinem/rust-cache action to v2.0.2

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

In #14, @jtgeibel added a Max-Age to the Set-Cookie header, so browsers will expire a cookie if it isn't refreshed within 90 days. However, if an attacker captures a copy of a cookie, it's still valid indefinitely. It would be useful to embed an expiration date in the signed cookie so that the server knows to reject a cookie that should have been expired by now. This would limit the impact of a compromised account.

We should bump to the latest cookie release before a final 0.9.0 release.

This will help resolve an issue observed in production crates.io. My proposal is to change session() to return a shared reference, and add a session_mut() providing mutable access. Calling session_mut() will set a a possibly_modified: bool flag. If no call to session_mut() has been made, then the session has not been modified and it is not necessary to add the Set-Cookie header to the response.