Skip to content

RDKB-65950 Fix HTTP login session cookie Secure flag handling#28

Open
pavankumar464 wants to merge 2 commits into
developfrom
bug/RDKB-65950
Open

RDKB-65950 Fix HTTP login session cookie Secure flag handling#28
pavankumar464 wants to merge 2 commits into
developfrom
bug/RDKB-65950

Conversation

@pavankumar464

@pavankumar464 pavankumar464 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Root Cause:
In jst_prefix.js where session cookie flags were decided by:
getenv('HTTPS') == false check (too loose / incorrect)

If CGI sets HTTPS=off on HTTP requests, that value is not boolean false, so code incorrectly treated it as HTTPS and emitted:
Set-Cookie: DUKSID=...; secure; httponly

Browsers won’t send a Secure cookie over plain HTTP, so next HTTP request has no valid DUKSID, and server sends you to logged out.

Fix: updated jst_prefix.js to use a strict helper:
is_https_request() returns true only for HTTPS values: on, 1, true (case-insensitive)
Secure is added only when truly HTTPS
Used in both session_start() and session_create()

Copilot AI review requested due to automatic review settings July 10, 2026 05:27
@pavankumar464 pavankumar464 requested a review from a team as a code owner July 10, 2026 05:27

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes HTTP login session cookie Secure flag handling by introducing a helper to more accurately detect HTTPS requests and applying that logic when setting the DUKSID cookie.

Changes:

  • Added is_https_request() to interpret the HTTPS environment variable safely (e.g., only treating on/1/true as HTTPS).
  • Updated session_start() and session_create() to set the cookie secure attribute only when the request is HTTPS.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread jsts/jst_prefix.js Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 05:31

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread jsts/jst_prefix.js
Comment on lines +113 to +116
if (is_https_request())
var $cookie = "Set-Cookie: DUKSID=" + ccsp_session.getId() + "; secure" + "; httponly";
else
var $cookie = "Set-Cookie: DUKSID=" + ccsp_session.getId() + "; secure" + "; httponly";
var $cookie = "Set-Cookie: DUKSID=" + ccsp_session.getId() + "; httponly";
Comment thread jsts/jst_prefix.js
Comment on lines +140 to +143
if (is_https_request())
var $cookie = "Set-Cookie: DUKSID=" + ccsp_session.getId() + "; secure" + "; httponly";
else
var $cookie = "Set-Cookie: DUKSID=" + ccsp_session.getId() + "; httponly";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants