Skip to content
Snippets Groups Projects

Set session cookie to be `SameSite=Lax`

Open Russ Garrett requested to merge russ/uffd-nginxauth:samesite-lax into master

This avoids a "enable cookies and refresh 2 times to continue" error which can't be bypassed after clicking a link from a different site to a site protected by uffd-nginxauth.

In order for a SameSite=Strict cookie to be sent, there needs to be at least one user navigation on the site first (clicking an external link to the site and receiving a redirect doesn't count).

From MDN:

[SameSite=Strict] should be used when you have cookies relating to functionality that will always be behind an initial navigation, such as authentication or storing shopping cart information.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#controlling_third-party_cookies_with_samesite

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading