Skip to content

@W-21066774: Add config flag to enable/disable HttpOnly session cookies#3635

Merged
unandyala merged 8 commits intofeature/httponly-session-cookiesfrom
unandyala.add-httponly-feature-flag
Feb 6, 2026
Merged

@W-21066774: Add config flag to enable/disable HttpOnly session cookies#3635
unandyala merged 8 commits intofeature/httponly-session-cookiesfrom
unandyala.add-httponly-feature-flag

Conversation

@unandyala
Copy link
Contributor

@unandyala unandyala commented Feb 4, 2026
edited
Loading

Add config flag to enable/disable HttpOnly session cookies

@unandyala unandyala requested a review from a team as a code owner February 4, 2026 19:58
@cc-prodsec
Copy link
Collaborator

cc-prodsec commented Feb 4, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@unandyala unandyala changed the title Add config flag to enable/disable HttpOnly session cookies @W-21066774: Add config flag to enable/disable HttpOnly session cookies Feb 4, 2026
vcua-mobify
vcua-mobify reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

@vcua-mobify vcua-mobify left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this PR is only adding the new httpOnly property and that nothing is really using it yet. I assume that we'll have a follow up PR for those uses?

packages/template-retail-react-app/config/default.js Outdated
],
ssrParameters: {
ssrFunctionNodeVersion: '22.x',
disableHttpOnlySessionCookies: true,
Copy link
Contributor

@vcua-mobify vcua-mobify Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that we have true as the default in pwa-kit-dev if this is undefined so we probably don't need to update the config templates in the generator.

Should we have a comment explaining why this is true by default?

Copy link
Contributor Author

@unandyala unandyala Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is good to add it for clarity. Also changed value to false

@unandyala
Copy link
Contributor Author

unandyala commented Feb 4, 2026

I see that this PR is only adding the new httpOnly property and that nothing is really using it yet. I assume that we'll have a follow up PR for those uses?

Yes

unandyala
unandyala commented Feb 4, 2026
View reviewed changes
packages/pwa-kit-create-app/assets/bootstrap/js/config/default.js.hbs
ssrParameters: {
ssrFunctionNodeVersion: '22.x',
// Store the session cookies as HttpOnly or enhanced security.
disableHttpOnlySessionCookies: false,
Copy link
Contributor Author

@unandyala unandyala Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For any new projects, we want to enable HttpOnly cookies by deafult

vcua-mobify
vcua-mobify approved these changes Feb 4, 2026
View reviewed changes
@unandyala unandyala merged commit ce16e61 into feature/httponly-session-cookies Feb 6, 2026
42 checks passed
@unandyala unandyala deleted the unandyala.add-httponly-feature-flag branch February 6, 2026 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcua-mobify vcua-mobify vcua-mobify approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@unandyala @cc-prodsec @vcua-mobify