Hacker News new | ask | show | jobs
by jefftk 894 days ago
Poking around a bit more, visiting https://sentry.io/auth/login/ but performing no action sets first-party cookies __stripe_mid, __stripe_sid, session, and sentry-sc. If I don't log in, but then visit other pages on the site those cookies are still sent.

I don't see why it's necessary that that these cookies be set before I actually log into the page? Or, if it is necessary for a non-obvious reason, I don't see why they need to be sent when visiting other pages under sentry.io instead of being scoped to /auth/login/ ?
1 comments
the_mitsuhiko 894 days ago
A lot of these cookies are used to prevent CSRF or tracking flow state (eg: redirect target for login) through SSO. I'm not sure about the behavior of the stripe one. Generally once you go to a login page I'm pretty sure you will log in :)
link
jefftk 894 days ago
> A lot of these cookies are used to prevent CSRF

Maybe I'm being dense, but I don't see CSRF risks with a login form?

> once you go to a login page I'm pretty sure you will log in

That seems very reasonable to me, but I don't think it's what the e-Privacy directive says?

(I'm in general very sympathetic, and wish the directive set a lower bar than "strictly necessary" for functional client-side storage.)

link
the_mitsuhiko 894 days ago
The ePrivacy directive is not that descriptive. The use of this cookie is fine as per legal review.

All our forms have the same CSRF protection, that goes for login and other things too.

link
jefftk 894 days ago
I really don't see how a duration of one year and Same-Site=Lax on the sentry-sc cookie passed legal review, but perhaps your legal team is comfortable with a more aggressive approach than I'm used to.
link
the_mitsuhiko 894 days ago
The purpose and functionality of the cookie is what matters, not the duration.
link
jefftk 894 days ago
The duration is part of the functionality. In interpreting the e-Privacy directive a general principle is that durations should not be longer than required to implement the required functionality. If you read through https://ec.europa.eu/justice/article-29/documentation/opinio... you'll see lots of discussion of appropriate durations.
link