From 441bf2b1399659b4438a6691dbb07433f983caa1 Mon Sep 17 00:00:00 2001 From: kjac Date: Tue, 11 Nov 2025 08:57:38 +0100 Subject: [PATCH 1/3] Added docs for auth tokens in cookies (V17) --- .../reference/configuration/securitysettings.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/17/umbraco-cms/reference/configuration/securitysettings.md b/17/umbraco-cms/reference/configuration/securitysettings.md index ba5bc774e31..3ed9d750a31 100644 --- a/17/umbraco-cms/reference/configuration/securitysettings.md +++ b/17/umbraco-cms/reference/configuration/securitysettings.md @@ -44,6 +44,9 @@ A full configuration with all default values can be seen here: "AllowConcurrentLogins": false, "UserDefaultFailedLoginDurationInMilliseconds": 1000, "UserMinimumFailedLoginDurationInMilliseconds": 250, + "BackOfficeTokenCookie": { + "SameSite": "Strict" + } } } } @@ -153,3 +156,13 @@ Options are: ## Member password settings This section allows you to define the password rules for members. This section is identical to the one for users. + +## Backoffice token cookie settings + +User authentication tokens are redacted from the server authentication responses and put into secure cookies instead. This section lets you change the default settings for the generated token cookies. + +It is not recommended to change these settings, as it may result in lesser security for the backoffice users. + +### Same site + +Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax" and "Strict" (default). From 27f06d0a7c6a205335ee57f3000eaf491e45ae47 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Tue, 11 Nov 2025 10:25:35 +0100 Subject: [PATCH 2/3] Update 17/umbraco-cms/reference/configuration/securitysettings.md --- 17/umbraco-cms/reference/configuration/securitysettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/17/umbraco-cms/reference/configuration/securitysettings.md b/17/umbraco-cms/reference/configuration/securitysettings.md index 3ed9d750a31..995d870f5d0 100644 --- a/17/umbraco-cms/reference/configuration/securitysettings.md +++ b/17/umbraco-cms/reference/configuration/securitysettings.md @@ -159,7 +159,7 @@ This section allows you to define the password rules for members. This section i ## Backoffice token cookie settings -User authentication tokens are redacted from the server authentication responses and put into secure cookies instead. This section lets you change the default settings for the generated token cookies. +User authentication tokens are redacted from the server's authentication responses and put into secure cookies instead. This section lets you change the default settings for the generated token cookies. It is not recommended to change these settings, as it may result in lesser security for the backoffice users. From 9ebaa459f4cf491783251b5934bf26deb88f1ab3 Mon Sep 17 00:00:00 2001 From: Esha Noronha <82437098+eshanrnh@users.noreply.github.com> Date: Tue, 11 Nov 2025 10:25:42 +0100 Subject: [PATCH 3/3] Update 17/umbraco-cms/reference/configuration/securitysettings.md --- 17/umbraco-cms/reference/configuration/securitysettings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/17/umbraco-cms/reference/configuration/securitysettings.md b/17/umbraco-cms/reference/configuration/securitysettings.md index 995d870f5d0..6714e97a42e 100644 --- a/17/umbraco-cms/reference/configuration/securitysettings.md +++ b/17/umbraco-cms/reference/configuration/securitysettings.md @@ -165,4 +165,4 @@ It is not recommended to change these settings, as it may result in lesser secur ### Same site -Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax" and "Strict" (default). +Sets the `SameSite` configuration for the token cookies. Valid values are "Unspecified", "None", "Lax", and "Strict" (default).