|
|
|
|
|
|
by jefftk
886 days ago
|
|
|
In that case the cookie can at least be scoped to the login form with a Path attribute and limited to the current session, which these aren't. The cookies on https://sentry.io/auth/login/ set without user intervention are valid beyond the current browser session and two of them have durations of a year. One even has Same-Site=Lax! (It's also not clear to me that cookies are required, if there are other technically sound options that do this without setting cookies.) |
|
|