relax SameSite requirement on members.dxesf.org "state" cookie

This cookie needs to be accessible when redirecting from the Google OAuth page, so it can't be strict. While here, also bump up the cookies to "HttpOnly".
dxe · Feb 20, 2020 · a8c01f9 · a8c01f9
1 parent ed3b5cf
commit a8c01f9
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/members/auth.go b/members/auth.go
@@ -75,7 +75,8 @@ func (s *server) login() {
 		Name:     membersState,
 		Value:    state,
 		MaxAge:   3600,
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteLaxMode,
+		HttpOnly: true,
 	})
 
 	var opts []oauth2.AuthCodeOption
@@ -114,6 +115,7 @@ func (s *server) auth() {
 		Value:    idToken,
 		MaxAge:   3600,
 		SameSite: http.SameSiteStrictMode,
+		HttpOnly: true,
 	})
 	s.redirect(absURL("/"))
 }