graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

Set SameSite attribute in cookies

Open bernd opened this issue 2 years ago • 4 comments

Fixes #16428

TODO

  • [x] Check if we can use NewCookie.SameSite.STRICT or have to use NewCookie.SameSite.LAX
    • We can use the STRICT value. See: https://github.com/Graylog2/graylog2-server/pull/18329#issuecomment-1961115470

bernd avatar Feb 20 '24 17:02 bernd

@dennisoelkers I think we have to use the Lax value for the SameSite cookie attribute. Otherwise, users who follow links to a Graylog dashboard won't be logged in.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

What do you think?

bernd avatar Feb 20 '24 17:02 bernd

@dennisoelkers Do you have any feedback on this?

bernd avatar Feb 23 '24 10:02 bernd

@bernd, from my perspective using SameSite=Strict should be okay. The authentication cookie will be blocked in the first request (to avoid linking directly to destructive/insecure API endpoints), which in our case is unauthenticated anyway, because it just loads the HTML boilerplate.

dennisoelkers avatar Feb 23 '24 10:02 dennisoelkers

@dennisoelkers Thank you for the update. Sounds good. I tested the STRICT setting with a link from an external page. The cookie doesn't get transferred when I click the link. :+1:

Can you review the change? Thanks!

bernd avatar Feb 23 '24 15:02 bernd