feat: fix the problem in the Operator Market frontend pages #203
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| return session({ | ||
| name: "demo.name", | ||
| secret: "demo.secret", | ||
| resave: true, | ||
| saveUninitialized: true, | ||
| cookie: { | ||
| maxAge: 60 * 60 * 1e3, | ||
| expires: new Date(Date.now() + 60 * 60 * 1e3), | ||
| }, // 1 hour | ||
| store: new FileStore({ | ||
| path: path.join(__dirname, "../sessions"), | ||
| retries: 0, | ||
| keyFunction: (secret, sessionId) => { | ||
| return secret + sessionId; | ||
| }, | ||
| }), | ||
| }); |
Check warning
Code scanning / CodeQL
Clear text transmission of sensitive cookie Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 12 hours ago
In general, the problem is that the session cookie is created without the secure flag, meaning browsers will send it over plain HTTP as well as HTTPS. For sensitive session data, the cookie should be marked secure so it is only transmitted over HTTPS. Because this helper already determines an environment (isDev), the best fix is to explicitly set cookie.secure based on that flag: true in non‑development (production) and false in development, preserving existing behavior locally while enforcing SSL where it matters.
Concretely, in frontend/src/mock/mock-core/session-helper.cjs, in the genExpressSession function, update the cookie object (lines 45–48) to include a secure property that is !isDev. That will use a secure cookie outside development. No new imports are required; we reuse the existing isDev constant defined at lines 8–10. No other functionality changes: the cookie name, secret, maxAge, expires, and store configuration remain the same.
| @@ -45,6 +45,7 @@ | ||
| cookie: { | ||
| maxAge: 60 * 60 * 1e3, | ||
| expires: new Date(Date.now() + 60 * 60 * 1e3), | ||
| secure: !isDev, | ||
| }, // 1 hour | ||
| store: new FileStore({ | ||
| path: path.join(__dirname, "../sessions"), |
No description provided.