Support for SameSite: "None" cookies #700
Description
- This is not a usage question.
- This is not a security issue.
- I am committed to implementing this feature in a reasonable amount of
time, and responding promptly to feedback.
Current Behavior
The latest Chrome browser version (80+) has changed cookie behavior so that when SameSite is not specified, it defaults to "Lax" behavior. This is to provide enhanced security for CSRF vulnerabilities. Other browsers will be following this default coming soon.
For applications to retain the old behavior, they need to explicitly set their cookies to SameSite: "None". Currently, Authlogic does not permit "None" as a valid value in the VALID_SAME_SITE_VALUES constant.
References:
- https://www.chromium.org/updates/same-site
- https://www.chromium.org/updates/same-site/incompatible-clients
Proposed Behavior
Authlogic should support customizing of Authlogic user_credentials cookie to have SameSite set to "None".
Proposed Solution
Hopefully, this is as simple as adding "None" to the constant list and perhaps adding a test or two. I propose this also comes with documentation on how to properly set the same_site attribute as currently there is none.
I also propose the fix applies to the 4.4.x line as well as the 5.x line. We are currently on Rails 5.0.x and use the 4.4.x line of Authlogic.
I am happy to submit a PR for this if the proposal is accepted and I am guided on the proper usage to add to the documentation. Thanks.