[BUG] Not able to set SameSite attribute of security_authentication cookie to value 'Strict' .

[rakhinarveka1]

trafficstars

What is the bug? security_authentication cookie being set by security dashboard plugin , SameSite attribute not able to set to 'Strict'.

How can one reproduce the bug? Steps to reproduce the behavior: we have installed security-dashboard plugin into opensearch-dashboard. and security configuration are done through opensearch-dashboards.yml file

opensearch_security.session.ttl: 60000 opensearch_security.cookie.ttl: 60000 opensearch_security.cookie.secure: true opensearch_security.cookie.isSameSite: "Strict" opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.enable_global: false opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] opensearch_security.readonly_mode.roles: ["kibana_read_only"]

What is the expected behavior? Would it be possible to set SameSite to 'Strict'

What is your host/environment? we are using OpenSearch-Dashboard 2.11 version with compatible security-dashboard plugin version 2.11.1.0 same issue persist with OpenSearch-Dashboard 1.3.17 version with compatible security-dashboard plugin version 1.3.17.0

Do you have any screenshots? from below image it could be seen that security_authentication cookie's SameSite attribute is not set to 'Strict'

Do you have any additional context? I have compile the source code of security plugin with changes in security_cookies.ts file with below function code change, But seems its not working.

export function clearOldVersionCookieValue(config: SecurityPluginConfigType): string { if (config.cookie.secure) { return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/; SameSite=Strict'; } else { return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=Strict'; } }