Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set SameSite to Strict for session cookie #4877

Closed
jvantuyl opened this issue Jul 2, 2022 · 1 comment
Closed

set SameSite to Strict for session cookie #4877

jvantuyl opened this issue Jul 2, 2022 · 1 comment

Comments

@jvantuyl
Copy link

jvantuyl commented Jul 2, 2022
edited

Currently, a number of browsers complain on page load that our session cookie doesn't specify a SameSite value. While I suppose we might want to have the user's session when it's accessed embedded in some other site, I have my doubts that it's a good default.

To wit, the MITRE lists this in their "Common Weakness Enumeration" (CWE) DB as a "Medium" level risk (as CWE-1275). That leads me to believe that there is probably at least some auditor somewhere that would flag this.

Here is an example of someone asking about these messages in the wild. I propose we adopt the fix from that link. That is, add extra: "SameSite=String" to the end of the @session_options here.
@jvantuyl jvantuyl mentioned this issue Jul 2, 2022
Closed
@mcrumm
Copy link
Member

mcrumm commented Jul 6, 2022

Hi @jvantuyl! We set same_site: "Lax" by default for newly generated apps, so I think we are okay here. See #4677 for details. Thanks for the report :)

@mcrumm mcrumm closed this as completed Jul 11, 2022
@zorn zorn mentioned this issue Mar 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvantuyl @mcrumm