Skip to content

Session cookie not enforced secure in production #3909

New issue
New issue
Open
#3939
Open
Session cookie not enforced secure in production#3909
#3939
Labels
Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardBugError or unexpected behaviors
@Nixxx19

Description

@Nixxx19
Nixxx19
opened on Feb 19, 2026

p5.js version

No response

What is your operating system?

None

Web browser and version

No response

Actual Behavior

Session cookie is set with secure: false hardcoded in server/server.js. Session cookies can be sent over HTTP, increasing session hijacking risk if the app is (or is ever) served over HTTP in production.

Location: server/server.js line 94

Expected Behavior

In production (NODE_ENV === 'production'), the session cookie should have secure: true so it is only sent over HTTPS.

Steps to reproduce

  1. Open server/server.js and find the session cookie config.
  2. Confirm secure: false is set with no environment-based override.
  3. In production over HTTPS, cookie could still be sent over HTTP if there is any downgrade or misconfiguration.

Snippet:

// server.js
cookie: {
  httpOnly: true,
  secure: false,   // should be true in production
  maxAge: 1000 * 60 * 60 * 24 * 28
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardBugError or unexpected behaviors

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions