I suggest you ...

Allow cookie names to be configurable

In order to improve security it would be beneficial to change cookie names from const to a configurable option. It would help mask the presence of service stack and improve security in accordance with OWASP recommendations - https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Name_Fingerprinting

7 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Danny commented  ·   ·  Flag as inappropriate

    My reason for needing this is that if you have a servicestack site at domain.com, and another one at api.domain.com, the cookies will fight with each other. In Chrome the cookies stay separate, but in IE the cookies will be shared even though no domain is specified on the cooke. I know this to be the case because we had this working fine in Chrome but accessing the system in IE caused each site to log the other one out repeatedly. A discussion on this point and a test script to demonstrate can be found here : https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain/44342126#44342126

Feedback and Knowledge Base