petal_boilerplate icon indicating copy to clipboard operation
petal_boilerplate copied to clipboard

Published 20 hours ago verified publisher icon petalframework

set "SameSite" to "Strict" for session cookies

Open jvantuyl opened this issue 2 years ago • 2 comments

According to various browser console messages, cookies will very soon need to have the SameSite attribute set to deliver cookies across sites. Here is an example of the ones in Chrome (which also includes the solution). I've also seen these in Firefox as well,

I'm pretty sure there's really no legitimate reason to forward these across sites anyways, so setting this to "strict" just applies the security policy we should probably have anyways. Best case, more secure. Worst case, at least we're making the console less noisy for devs.

It looks like all we need to do is append extra: "SameSite=Strict" to the @session_options here.

jvantuyl avatar Jul 02 '22 09:07 jvantuyl

Filed a similar issue on the main Phoenix Project (phoenixframework/phoenix#4877).

jvantuyl avatar Jul 02 '22 10:07 jvantuyl

Thanks - didn't know about that and not sure whether to set a default. Let's see what happens on your Phoenix issue

mplatts avatar Jul 02 '22 23:07 mplatts

This ended up merged upstream (https://github.com/phoenixframework/phoenix/pull/4677). Did this get pulled into Petal? If it did, can we close this?

jvantuyl avatar Aug 22 '23 11:08 jvantuyl

Yep seems to be in there

mplatts avatar Aug 22 '23 23:08 mplatts