Cookie rocket_oauth2_state with secure flag

[atezet]

In https://github.com/jebrosen/rocket_oauth2/blob/0.5.0-rc.1/src/lib.rs#L693 the rocket_oauth2_state cookie is set. By default, Rocket's add_private securely configures cookies with httponly(true), however the secure flag is not set. Would it be possible to add a possibility to set the secure flag on this cookie? Either automatically when a secure connection is used (not sure if this is possible), or somehow in the configuration? Or just make it the default for production builds?

I am also considering to suggest this on Rocket as a default instead, as I think it would better to use secure defaults (at the very least for production builds).

[jebrosen]

I believe this was for a reason, but it may be time to revisit this. The most likely reasons I remember were:

• Ability to test locally on e.g. http://localhost:8000. This may be a good reason to not use Secure unconditionally, but a flag or method to opt in to the Secure attribute would work
• Buggy or inconsistent browser behavior with Secure, SameSite, and redirects, making Secure nonviable

[atezet]

Thanks for your response. I discussed some options in rwf2/Rocket#2425, I just haven't found any time to look at it any further