Related to the Token Based Auth plugin. Is there any reason for not setting the auth cookie httpOnly and Secure flags to prevent XSS attacks and mitigate the risk of client-side scripts accessing the protected cookie?
That’s because he is currently set by the front itself when receiving the token by the third party auth provider. The cookie is used to send the token to our server and give access to the page or not depending of your page access settings.
We are aware its not the best practice and we plan to revamp how our auth system works, it should happens in the next 2 months 
No cookies anymore!
1 Like