Set session cookie to be `SameSite=Lax` (!7) · Merge requests · uffd / uffd-nginxauth

Russ Garrett requested to merge russ/uffd-nginxauth:samesite-lax into master Jul 09, 2024

This avoids a "enable cookies and refresh 2 times to continue" error which can't be bypassed after clicking a link from a different site to a site protected by uffd-nginxauth.

In order for a SameSite=Strict cookie to be sent, there needs to be at least one user navigation on the site first (clicking an external link to the site and receiving a redirect doesn't count).

From MDN:

[SameSite=Strict] should be used when you have cookies relating to functionality that will always be behind an initial navigation, such as authentication or storing shopping cart information.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#controlling_third-party_cookies_with_samesite

Set session cookie to be `SameSite=Lax`

Merge request reports