Skip to content

OKTA-1093560 - Insecure hardcoded cookie settings may lead to clear text session token transmission on Secure AI Agents Example #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iamspathan merged 2 commits into from
Jan 26, 2026
Merged

OKTA-1093560 - Insecure hardcoded cookie settings may lead to clear text session token transmission on Secure AI Agents Example #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
72cfdfe
feat: add COOKIE_SECURE flag for cookie management in development and…
iamspathan Jan 26, 2026
45bd4a2
Update packages/agent0/src/auth/okta-auth.ts
iamspathan Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions packages/agent0/.env.app.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
PORT=3000
SESSION_SECRET=your-session-secret-change-in-production

# Cookie secure flag - set to false for local HTTP development.
# In production with HTTPS, remove this line or set to true.
COOKIE_SECURE=false

# ============================================================================
# RESOURCE SERVER - OKTA OAUTH (HUMAN SSO)
# ============================================================================
Expand Down
5 changes: 4 additions & 1 deletion packages/agent0/src/auth/okta-auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,10 @@ export function createSessionMiddleware(sessionSecret: string) {
saveUninitialized: false,
rolling: true, // Reset maxAge on every response
cookie: {
secure: false, // Set to true in production with HTTPS
// Cookie secure flag - controls whether cookies are sent only over HTTPS.
// Default: true (secure). Browsers reject secure cookies over HTTP.
// For local development without HTTPS, set COOKIE_SECURE=false in your .env file.
secure: process.env.COOKIE_SECURE,
httpOnly: true,
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
sameSite: 'lax', // Prevent CSRF while allowing normal navigation
Expand Down
4 changes: 4 additions & 0 deletions packages/todo0/.env.app.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
PORT=5001
SESSION_SECRET=your-session-secret-change-in-production

# Cookie secure flag - set to false for local HTTP development.
# In production with HTTPS, remove this line or set to true.
COOKIE_SECURE=false

# ============================================================================
# TODO0 APP - OKTA OAUTH (HUMAN SSO)
# ============================================================================
Expand Down
7 changes: 5 additions & 2 deletions packages/todo0/src/app-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,11 @@ app.use(session({
resave: false,
saveUninitialized: false,
rolling: true, // Keep session alive with activity
cookie: {
secure: false,
cookie: {
// Cookie secure flag - controls whether cookies are sent only over HTTPS.
// Default: true (secure). Browsers reject secure cookies over HTTP.
// For local development without HTTPS, set COOKIE_SECURE=false in your .env file.
secure: process.env.COOKIE_SECURE !== 'false',
httpOnly: true,
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
sameSite: 'lax',
Expand Down
Loading