Hi all, Here's one of those times I'd like to get some cross-framework discussion going. In Yesod, we use a combination of the cookie package[1] and clientsession[2] for storing user sessions. A few questions: * I recently heard that Snap also uses client-side sessions. If this is true, what packages does it use? * Can anyone think of a downside to setting HttpOnly on session cookies? * Now that I realize the option for HttpOnly is missing from the cookie package, can anyone see anything else missing from its API? In general, given that cookies are one of those ill-specified, very finicky parts of the web, I'd like it if we could try to converge on a single package for cookie parsing/rendering (both server and client side). Currently, Yesod and wai-test[3] both use it. Assuming we ever get a "Browser"-style module for http-enumerator, I would assume we'd use it there too. Michael [1] http://hackage.haskell.org/package/cookie [2] http://hackage.haskell.org/package/clientsession [3] http://hackage.haskell.org/package/wai-test
On Thu, Jun 30, 2011 at 9:58 AM, Michael Snoyman
Hi all,
* I recently heard that Snap also uses client-side sessions. If this is true, what packages does it use?
We have some prototype stuff that isn't released yet, and I didn't write it so I don't know much about it.
* Can anyone think of a downside to setting HttpOnly on session cookies?
No, especially if they are encrypted. In that case, the only use case
for JS to access them is to steal them.
G
--
Gregory Collins
participants (2)
-
Gregory Collins -
Michael Snoyman