Skip to content

fix(core): prefix anonymous cookie with __Secure for https://#2381

Merged
chanceaclark merged 1 commit into
canaryfrom
fix/secure-cookie
Jun 6, 2025
Merged

fix(core): prefix anonymous cookie with __Secure for https://#2381
chanceaclark merged 1 commit into
canaryfrom
fix/secure-cookie

Conversation

@chanceaclark

@chanceaclark chanceaclark commented Jun 6, 2025

Copy link
Copy Markdown
Contributor

What/Why?

This adds the __Secure- cookie prefix to the anonymous session cookie to add extra security measures. This logic follows the same behavior as Auth.js does for prefixing it's cookies with the __Secure- prefix.

Testing

Local dev

Screenshot 2025-06-06 at 13 41 10

Production

Screenshot 2025-06-06 at 13 40 49

Migration

If you haven't merge the anonymous session code, pulling it in should just work ™️.

@changeset-bot

changeset-bot Bot commented Jun 6, 2025

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: f371b13

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@bigcommerce/catalyst-core Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jun 6, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
catalyst-canary ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 6, 2025 7:43pm
3 Skipped Deployments
Name Status Preview Comments Updated (UTC)
catalyst ⬜️ Ignored (Inspect) Jun 6, 2025 7:43pm
catalyst-au ⬜️ Ignored (Inspect) Visit Preview Jun 6, 2025 7:43pm
catalyst-uk ⬜️ Ignored (Inspect) Visit Preview Jun 6, 2025 7:43pm

@chanceaclark
chanceaclark marked this pull request as ready for review June 6, 2025 19:41
@chanceaclark
chanceaclark requested a review from a team June 6, 2025 19:41

@jkanive jkanive left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this change break existing in-session activity after deployment?

@chanceaclark

Copy link
Copy Markdown
Contributor Author

Since I merged the anonymous session stuff 2 days ago and we haven't tagged a release yet, I wouldn't be too worried about it breaking any sessions. Theoretically yeah it could wipe an existing cart away if someone already pulled that code in.

@chanceaclark
chanceaclark added this pull request to the merge queue Jun 6, 2025
Merged via the queue into canary with commit fada842 Jun 6, 2025
9 checks passed
@chanceaclark
chanceaclark deleted the fix/secure-cookie branch June 6, 2025 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants