Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow configuring same-site for session cookies #303

Merged
merged 4 commits into from
Mar 21, 2020
Merged

feat: allow configuring same-site for session cookies #303

merged 4 commits into from
Mar 21, 2020

Conversation

zepatrik
Copy link
Member

Related issue

closes #257

Proposed changes

It is now possible to set SameSite for the session cookie via the key security.session.cookie.same_site.

@zepatrik zepatrik marked this pull request as ready for review March 20, 2020 18:32
@zepatrik zepatrik requested a review from aeneasr March 20, 2020 18:32
aeneasr
aeneasr reviewed Mar 21, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

driver/configuration/provider_viper.go
@@ -370,3 +373,15 @@ func (p *ViperProvider) SelfServiceVerificationReturnTo() *url.URL {
func (p *ViperProvider) SelfServicePrivilegedSessionMaxAge() time.Duration {
return viperx.GetDuration(p.l, ViperKeySelfServicePrivilegedAuthenticationAfter, time.Hour)
}

func (p *ViperProvider) SessionSameSiteMode() http.SameSite {
switch viperx.GetString(p.l, ViperKeySessionSameSite, "Lax") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this case-insensitive!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we might respect the standard https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#SameSite
but is not really necessary

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I guess you're right, I mean it is being validated in the JSON Schema so it would be easily detectable. I think both ways are ok. What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's just leave it this way, validation will anyway only allow the capitalized version.

@aeneasr aeneasr merged commit 2eb2054 into master Mar 21, 2020
@zepatrik zepatrik deleted the same-site-cookie branch March 23, 2020 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow configuration of same-site cookie
2 participants
@zepatrik @aeneasr