Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[2.1] Trouble deleting SameSite=None cookies without Secure #17833
One of the changes in the new SameSite spec is that cookies marked as SameSite=None can only be set if also marked as Secure. This is fine when we're setting cookies, but it also causes a problem when trying to delete cookies.
There are a few code paths such as the ChunkingCookieManager used by CookieAuth that don't properly flow the Secure attribute on the delete code path.
This was fixed in 3.0 but should be backported to 2.1. 2.2 is also affected, but has reached end-of-life.
Just to double-check:
It does not help to put that in the DI, as its not taken from there anyways, right?