space black
WWasp
•Created by tk-421 on 2/16/2025 in #đŸ™‹questions
Creating an on-prem product?
@tk-421 I'm working on a dead simple gitops / k8s setup with Wasp, I'll open source a template for it tomorrow
13 replies
WWasp
•Created by space black on 1/31/2025 in #đŸ™‹questions
Moving to cookie based sessions?
@Vinny (@Wasp) a little late to the punch my friend https://github.com/wasp-lang/wasp/pull/2480
16 replies
WWasp
•Created by space black on 1/31/2025 in #đŸ™‹questions
Moving to cookie based sessions?
@kapa.ai I reviewed that issue, and it seems like the issues brought up are definitely amenable. HTTPS can be enabled on local dev, or you can turn off the third party cookie for your local dev work. Easy enough.
So imagine a setup like this:
- Server issues a single HttpOnly, Secure, SameSite=Lax cookie
- Session ID stored in database with expiration
- Client can't directly delete the cookie (not reachable by JS)
Online logout - client clicks logout, server deletes db session and clears cookie via Set-Cookie header
Offline logout - server deletes db session or it expires. When client comes back, they won't have access.
To me, seems like all the concerns are addressed, and security is improved with no downside.
Of course, the JWT system could still be in the application and chosen if for whatever reason you have some specialized setup.
16 replies