Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set SameSite attribute in cookies #18329

Merged
merged 5 commits into from Feb 26, 2024
Merged

Set SameSite attribute in cookies #18329

merged 5 commits into from Feb 26, 2024

Conversation

bernd
Copy link
Member

@bernd bernd commented Feb 20, 2024
edited

Fixes #16428

TODO

@bernd
Copy link
Member Author

bernd commented Feb 20, 2024

@dennisoelkers I think we have to use the Lax value for the SameSite cookie attribute. Otherwise, users who follow links to a Graylog dashboard won't be logged in.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

What do you think?

@bernd
Copy link
Member Author

bernd commented Feb 23, 2024

@dennisoelkers Do you have any feedback on this?

@dennisoelkers
Copy link
Member

@bernd, from my perspective using SameSite=Strict should be okay. The authentication cookie will be blocked in the first request (to avoid linking directly to destructive/insecure API endpoints), which in our case is unauthenticated anyway, because it just loads the HTML boilerplate.

@bernd bernd marked this pull request as ready for review February 23, 2024 15:21
@bernd
Copy link
Member Author

bernd commented Feb 23, 2024

@dennisoelkers Thank you for the update. Sounds good. I tested the STRICT setting with a link from an external page. The cookie doesn't get transferred when I click the link. 👍

Can you review the change? Thanks!

@dennisoelkers dennisoelkers merged commit 667d09e into master Feb 26, 2024
5 checks passed
@dennisoelkers dennisoelkers deleted the fix/issue-16428 branch February 26, 2024 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dennisoelkers dennisoelkers dennisoelkers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Firefox warns about missing SameSite cookie attribute
2 participants
@bernd @dennisoelkers