mirror
/
vapor-docs
mirror of https://github.com/vapor/docs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add note about session cookie (#760) 

* add tip about session cookie

* change tip -> note

* add suggested change

---------

Co-authored-by: Tim Condon <0xTim@users.noreply.github.com>
This commit is contained in:
Henrik Christensen 2023-02-05 21:42:05 +01:00 committed by GitHub
parent 7bfdc35045
commit affde5fb5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/security/authentication.md
View File

@ -748,6 +748,9 @@ These middlewares do the following:
* the sessions middleware takes the session cookie provided in the request and converts it into a session
* the session authenticator takes the session and see if there is an authenticated user for that session. If so, the middleware authenticates the request. In the response, the session authenticator sees if the request has an authenticated user and saves them in the session so they're authenticated in the next request.
!!! note
The session cookie is not set to `secure` and `httpOnly` by default. Check Vapor's [Session API](../advanced/sessions.md#configuration) for more information on how to configure cookies.
### Protecting Routes
When protecting routes for an API, you traditionally return an HTTP response with a status code such as **401 Unauthorized** if the request is not authenticated. However, this isn't a very good user experience for someone using a browser. Vapor provides a `RedirectMiddleware` for any `Authenticatable` type to use in this scenario: