Add Same-Site Cookie configuration option #3688
Conversation
| | | ||
| */ | ||
|
|
||
| 'same_site' => null, |
There was a problem hiding this comment.
Could you provide more information on what exactly each of those three options do?
There was a problem hiding this comment.
The same-site attribute can take one of two values: ‘strict’ or ‘lax’ whereas null is none.
In strict mode, same-site cookies will be withheld for any kind of cross-site usage. This includes all inbound links from external sites to the application. Visitors clicking on such a link will initially be treated as ‘not being logged in’ whether or not they have an active session with the site.
The lax mode caters to applications which are incompatible with these restrictions. In this mode, same-site cookies will be withheld on cross-domain subrequests (e.g. images or frames), but will be sent whenever a user navigates safely from an external site, for example by following a link.
Also see
https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1.1
There was a problem hiding this comment.
Could you provide a summarized version of that information directly in the doc block for the config option itself?
There was a problem hiding this comment.
Done, see 8775b8b
There was a problem hiding this comment.
One last question, I know this is in the session.php config in Laravel, but in October we have the separate cookie.php config file, would this make more sense there instead or would that be too confusing?
There was a problem hiding this comment.
If we are moving this to the cookies.php we should move the other cookie configurations also to the cookie.php, like:
- secure (HTTPS Only Cookies)
- domain (Session Cookie Domain)
- path (Session Cookie Path)
- cookie (Session Cookie Name)
I think for this PR it's better to keep it in the session.php, we can always move it to the cookie.php (with the other cookie configuration options).
ghost
mentioned this pull request
Adds the Same-Site configuration option for cookies. Laravel already has this configuration option in 5.5, see https://github.com/laravel/laravel/blob/5.5/config/session.php#L195.
More information about Same-Site cookies https://www.owasp.org/index.php/SameSite.