From affde5fb5d1e173797d52f4a9e702e01e1c0ad3a Mon Sep 17 00:00:00 2001
From: Henrik Christensen <sensen1695@hotmail.com>
Date: Sun, 5 Feb 2023 21:42:05 +0100
Subject: [PATCH] add note about session cookie (#760)

* add tip about session cookie

* change tip -> note

* add suggested change

---------

Co-authored-by: Tim Condon <0xTim@users.noreply.github.com>
---
 docs/security/authentication.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/security/authentication.md b/docs/security/authentication.md
index 745e7b84..bc49092e 100644
--- a/docs/security/authentication.md
+++ b/docs/security/authentication.md
@@ -748,6 +748,9 @@ These middlewares do the following:
 * the sessions middleware takes the session cookie provided in the request and converts it into a session
 * the session authenticator takes the session and see if there is an authenticated user for that session. If so, the middleware authenticates the request. In the response, the session authenticator sees if the request has an authenticated user and saves them in the session so they're authenticated in the next request.
 
+!!! note
+    The session cookie is not set to `secure` and `httpOnly` by default. Check Vapor's [Session API](../advanced/sessions.md#configuration) for more information on how to configure cookies.
+
 ### Protecting Routes
 
 When protecting routes for an API, you traditionally return an HTTP response with a status code such as **401 Unauthorized** if the request is not authenticated. However, this isn't a very good user experience for someone using a browser. Vapor provides a `RedirectMiddleware` for any `Authenticatable` type to use in this scenario: