diff --git a/.changeset/shiny-drinks-camp.md b/.changeset/shiny-drinks-camp.md new file mode 100644 index 00000000000..476ee53ac15 --- /dev/null +++ b/.changeset/shiny-drinks-camp.md @@ -0,0 +1,6 @@ +--- +'@keystone-next/website': minor +'@keystone-next/keystone': minor +--- + +Added `sameSite` option to session options for cookies diff --git a/docs/pages/apis/session.mdx b/docs/pages/apis/session.mdx index 37d05d11b32..343af194903 100644 --- a/docs/pages/apis/session.mdx +++ b/docs/pages/apis/session.mdx @@ -19,6 +19,7 @@ export default config({ secure: true, path: '/', domain: 'localhost', + sameSite: 'lax', }), { User: 'name isAdmin' } ), @@ -63,8 +64,10 @@ Options For Firefox, the `https:` requirements are ignored when the `secure` attribute is set by localhost (since Firefox 75). - `path` (default: `'/'`): A path that must exist in the requested URL, or the browser won't send the cookie header. The forward slash (`/`) character is interpreted as a directory separator, and subdirectories will be matched as well: for `path: '/docs'`, `/docs`, `/docs/Web/`, and `/docs/Web/HTTP` will all match. -- `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute.. +- `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute. **Note**: Only one domain is allowed. If a domain is specified then subdomains are always included. +- `sameSite` (default: `'lax'`): Controls whether the cookie is sent with cross-origin requests. Can be one of `true`, `false`, `'strict'`, `'lax'` or `'none'`. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute. + **Note**: The `secure` attribute must also be set when `sameSite` is set to `none`! ### Session stores diff --git a/packages-next/keystone/src/session/index.ts b/packages-next/keystone/src/session/index.ts index 7befb911479..cac0d706804 100644 --- a/packages-next/keystone/src/session/index.ts +++ b/packages-next/keystone/src/session/index.ts @@ -64,6 +64,12 @@ type StatelessSessionsOptions = { * @default current domain */ domain?: string; + /** + * Specifies the boolean or string to be the value for the {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|`SameSite` `Set-Cookie` attribute}. + * + * @default 'lax' + */ + sameSite?: true | false | 'lax' | 'strict' | 'none'; }; type FieldSelections = { @@ -122,6 +128,7 @@ export function statelessSessions({ secure = process.env.NODE_ENV === 'production', ironOptions = Iron.defaults, domain, + sameSite = 'lax', }: StatelessSessionsOptions): () => SessionStrategy { return () => { if (!secret) { @@ -148,7 +155,7 @@ export function statelessSessions({ httpOnly: true, secure, path, - sameSite: 'lax', + sameSite, domain, }) ); @@ -164,7 +171,7 @@ export function statelessSessions({ httpOnly: true, secure, path, - sameSite: 'lax', + sameSite, domain, }) );