undefined | Better HN

0 pointsjefftk2y ago0 comments

Poking around a bit more, visiting https://sentry.io/auth/login/ but performing no action sets first-party cookies __stripe_mid, __stripe_sid, session, and sentry-sc. If I don't log in, but then visit other pages on the site those cookies are still sent.

I don't see why it's necessary that that these cookies be set before I actually log into the page? Or, if it is necessary for a non-obvious reason, I don't see why they need to be sent when visiting other pages under sentry.io instead of being scoped to /auth/login/ ?

0 comments

the_mitsuhiko2y ago

A lot of these cookies are used to prevent CSRF or tracking flow state (eg: redirect target for login) through SSO. I'm not sure about the behavior of the stripe one. Generally once you go to a login page I'm pretty sure you will log in :)

jefftkOP2y ago

> A lot of these cookies are used to prevent CSRF

Maybe I'm being dense, but I don't see CSRF risks with a login form?

> once you go to a login page I'm pretty sure you will log in

That seems very reasonable to me, but I don't think it's what the e-Privacy directive says?

(I'm in general very sympathetic, and wish the directive set a lower bar than "strictly necessary" for functional client-side storage.)

the_mitsuhiko2y ago

The ePrivacy directive is not that descriptive. The use of this cookie is fine as per legal review.

All our forms have the same CSRF protection, that goes for login and other things too.

1 more reply

j / k navigate · click thread line to collapse

0 pointsjefftk2y ago0 comments

0 comments

the_mitsuhiko2y ago

jefftkOP2y ago

> A lot of these cookies are used to prevent CSRF

Maybe I'm being dense, but I don't see CSRF risks with a login form?

> once you go to a login page I'm pretty sure you will log in

That seems very reasonable to me, but I don't think it's what the e-Privacy directive says?

(I'm in general very sympathetic, and wish the directive set a lower bar than "strictly necessary" for functional client-side storage.)

the_mitsuhiko2y ago

The ePrivacy directive is not that descriptive. The use of this cookie is fine as per legal review.

All our forms have the same CSRF protection, that goes for login and other things too.

1 more reply

j / k navigate · click thread line to collapse