Add the SameSite cookie flag

[ArnCo]

Hey guys,

I see that HttpOnly and Secure flags are configurable in the configuration section.
Would it be possible to add a switch for the SameSite cookie flag ?

Thanks a lot and keep up the great work,

ArnCo

[hughbris]

Could you please explain this or link to something that does?

[ArnCo]

Hey @hughbris ,

Here is an explanation of what it does :
https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
Basically, this is an additional protection against CSRF.

Cheers,
ArnCo

[youngpabl0]

Guyz, hello, i too dont search any option to set this Cookie, may be you have any advices? Thanx.

[ArnCo]

Hi @lovkiymusic,

For now I'm doing it directly on my NginX server with the "proxy_cookie_path" directive.

Cheers,

ArnCo

[sebastianbaumann]

+1

would be great if we could set the samesite attribute for cookies in the system.yaml like the others attribute. example:

session:
enabled: true
initialize: true
timeout: 1800
name: site-
uniqueness: path
secure: true
httponly: true
split: true
path: null
samesite: true

[randoum]

See #3063

[ArnCo]

Looks like this can be closed, given the previous comment. Cheers 👍