enhancement: Enhance Security by Allowing Same-Site Cookie Value Modification

[fschade]

This commit introduces a significant enhancement to the security of our application by allowing the modification of the 'SameSite' attribute of cookies from the consuming application.

The 'SameSite' attribute is a security measure that browsers use to restrict how cookies are sent with cross-site requests.

By default, the Identity Provider (IDP) should be reachable from multiple domains; hence the 'SameSite' attribute is set to 'None'.

This allows cookies to be sent in all requests, irrespective of the site that the requests are being made from.

However, there are scenarios where the IDP should only be reachable from the same domain. In such cases, the 'SameSite' attribute needs to be set to 'Strict'.

This restricts the browser from sending cookies with any cross-site requests, thereby limiting the exposure of the user's session and mitigating the risk of Cross-Site Request Forgery (CSRF) attacks.

By allowing the 'SameSite' attribute to be modifiable, we provide the flexibility to tighten security measures based on the specific requirements and threat models of the consuming application.

This change does not impact existing functionality but provides an additional layer of security where needed.

https://www.authelia.com/configuration/session/introduction/#same_site-1
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

[longsleep]

Thanks, can you please explain in the commit message why this is needed / what the use case is / what it means for security.

It is not clear to me in why the lico cookies would need something else than "None" as the intention is explicitly to not block anyone from using the IdP from other domains if they have a registered client or are implicitly allowed.

I assume the idea is to somehow improve the security by allowing to specify cookies as SameSite=Strict?

[longsleep]

Thanks for the details, lgtm 👍