Change DefaultCookieConfig to use the SameSiteLaxMode

* Redirecting to a provider's AuthURL as part of Login creates a chain of redirects to the configured backend callback handler to set a session cookie and (typically) redirect to a profile page * Strict cookies would not be sent in the request to the profile page because the redirect chain originated with a redirect to the login provider. The original referrer is used throughout the redirect chain. Because of this browser behavior, most users will need to use SameSite lax mode If you understand the implications, you can still set strict mode: ``` cookieConfig := sessions.DefaultCookieConfig cookieConfig.SameSite = http.SameSiteStrictMode ``` Rel: * https://www.nogginbox.co.uk/blog/strict-cookies-not-sent-by-request * https://bugzilla.mozilla.org/show_bug.cgi?id=1453814
dghubble · Jan 7, 2023 · 49f1e26 · 49f1e26
1 parent a9c7157
commit 49f1e26
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,10 @@ Notable changes between releases.
 
 ## Latest
 
+## v0.3.1
+
+* Change `DefaultCookieConfig` to use `SameSiteLaxMode` ([#22](https://github.com/dghubble/sessions/pull/22))
+
 ## v0.3.0
 
 * Change `CookieStore` and its fields to be non-exported ([#19](https://github.com/dghubble/sessions/pull/19))

diff --git a/cookie.go b/cookie.go
@@ -11,7 +11,7 @@ var DefaultCookieConfig = &CookieConfig{
 	MaxAge:   defaultMaxAge,
 	HTTPOnly: true,
 	Secure:   true,
-	SameSite: http.SameSiteStrictMode,
+	SameSite: http.SameSiteLaxMode,
 }
 
 // DebugCookieConfig configures http.Cookie creation for debugging. It