Understanding cookie usage in Nile Auth
nile.session-token
httpOnly
: Ensures the cookie is inaccessible to JavaScript, preventing XSS attacks.secure
: Ensures the cookie is only sent over HTTPS.sameSite: 'lax'
: Prevents the cookie from being sent with cross-site requests, but allows it for top-level navigation.path: '/'
: Makes the cookie available across the entire site.nile.callback-url
callbackUrl
is stored in this cookie. Once authentication is successful, the user is redirected back to this URL.sameSite: 'lax'
: This ensures the cookie is only sent when making same-site requests, improving security.secure
: Ensures the cookie is only sent over HTTPS connections.path: '/'
: Ensures the cookie is available across the entire site.nile.csrf-token
httpOnly
: The cookie is inaccessible to JavaScript, preventing attacks where an attacker could access the CSRF token.sameSite: 'lax'
: Prevents the cookie from being sent with cross-origin requests, but allows it for same-site requests and top-level navigation.secure
: Ensures the cookie is only sent over HTTPS to prevent interception.nile.pkce.code_verifier
httpOnly
: Prevents the cookie from being accessed via JavaScript.sameSite: 'lax'
: Limits the cookie’s availability to same-site requests, improving security.secure
: Ensures the cookie is only sent over secure HTTPS connections.maxAge: 900
: Sets the cookie’s expiration time to 15 minutes (900 seconds), which is typical for OAuth PKCE flows.nile.state
httpOnly
: Prevents the cookie from being accessed by JavaScript, mitigating potential XSS attacks.sameSite: 'lax'
: Limits cross-site cookie transmission to prevent potential cross-origin attacks.secure
: Ensures the cookie is only sent over secure connections.maxAge: 900
: Sets the cookie’s expiration time to 15 minutes, aligning with the OAuth flow’s expected duration.nile.nonce
httpOnly
: Ensures the cookie is not accessible to JavaScript, mitigating the risk of attacks that access browser storage.sameSite: 'lax'
: Limits the cookie to same-site requests, preventing cross-site request forgery.secure
: The cookie is only sent over HTTPS, providing security for sensitive data.nile.tenant-id
sameSite: 'lax'
: Limits the cookie to same-site requests, preventing cross-site request forgery.secure
: The cookie is only sent over HTTPS, providing security for sensitive data.nile.reset
sameSite: 'lax'
: Limits the cookie to same-site requests, preventing cross-site request forgery.
secure
: The cookie is only sent over HTTPS, providing security for sensitive data.