Our use case:

• When working on the UI of a product locally, it's useful to be able to point it at the stage/prod REST API so it can be tested with live data, and not just that in the local Vagrant instance etc
• In production the UI and API are on the same domain, so to avoid cross-domain issues locally we use webpack-dev-server's proxy mode (which makes use of http-proxy-middleware which itself uses node-http-proxy), to proxy requests from eg http://localhost:5000/api/* to https://prod-app.com/api/*.
• Production is served over HTTPS and so sets the secure cookie attribute.
• The local environment does not use HTTPS (it's something I'd like to explore in the future, it just makes integration with our full-stack Vagrant workflow more complicated).
• As such, the browser ignores the proxied cookie and doesn't associate it the HTTP localhost UI.

If there was an option to strip the secure attribute from the proxied cookie, we could use the workflow above.

Example response:

curl -i "http://localhost:5001/api/auth/login/" <SNIP> HTTP/1.1 200 OK ... set-cookie: sessionid=REDACTED; expires=Wed, 24-May-2017 11:35:14 GMT; httponly; Max-Age=1209600; Path=/; secure set-cookie: csrftoken=REDACTED; expires=Wed, 09-May-2018 11:35:14 GMT; Max-Age=31449600; Path=/; secure