Relax cookie restrictions to 'lax' to allow frontend to work
Our frontend requests the `/me` pathname in order to determine whether
it's logged in or not. Due to the fact that the sameSite attribute of
the session cookie was set to `strict` in a previous commit, the session
token was no longer sent along with HTTP calls initiated by JS. This is
due to the RFCs definition of "safe" HTTP calls in RFC7231.
The bug triggers the UI to show up like an unauthenticated user, even
after a successful login. In order to debug it a look into the send
cookies to the `/me` turned out to be very enlightening.
The fix this patch implements is rather simple, it replaces the sameSite
attribute to `lax` which enables the cookies for those requests again.
Some older and mobile clients were unaffected by this due to the lack of
implementations of sameSite policies.
References:
https://tools.ietf.org/html/rfc7231#section-4.2.1
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
e77e7b165a
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
			
			
This commit is contained in:
		
							parent
							
								
									8cf3b50ee9
								
							
						
					
					
						commit
						3d1fab0512
					
				
							
								
								
									
										2
									
								
								app.js
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								app.js
									
									
									
									
									
								
							| @ -147,7 +147,7 @@ app.use(session({ | |||||||
|   rolling: true, // reset maxAge on every response
 |   rolling: true, // reset maxAge on every response
 | ||||||
|   cookie: { |   cookie: { | ||||||
|     maxAge: config.sessionLife, |     maxAge: config.sessionLife, | ||||||
|     sameSite: 'strict', |     sameSite: 'lax', | ||||||
|     secure: config.useSSL || config.protocolUseSSL || false |     secure: config.useSSL || config.protocolUseSSL || false | ||||||
|   }, |   }, | ||||||
|   store: sessionStore |   store: sessionStore | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user