feat: allow configuring same-site for session cookies

docs/config.schema.json

@@ -185,6 +185,15 @@
         "$ref": "#/definitions/selfServiceRedirectHook"
       },
       "uniqueItems": true
+    },
+    "cookiesSameSite": {
+      "type": "string",
+      "enum": [
+        "Strict",
+        "Lax",
+        "None"
+      ],
+      "default": "Lax"
     }
   },
   "properties": {
@@ -588,6 +597,27 @@
         }
       },
       "additionalProperties": false
+    },
+    "security": {
+      "type": "object",
+      "properties": {
+        "session": {
+          "type": "object",
+          "properties": {
+            "cookie": {
+              "type": "object",
+              "properties": {
+                "same_site": {
+                  "$ref": "#/definitions/cookiesSameSite"
+                }
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
     }
   },
   "required": [

driver/configuration/provider.go

@@ -2,6 +2,7 @@ package configuration
 
 import (
 	"encoding/json"
+	"net/http"
 	"net/url"
 	"time"
 
@@ -99,4 +100,6 @@ type Provider interface {
 	TracingJaegerConfig() *tracing.JaegerConfig
 
 	IsInsecureDevMode() bool
+
+	SessionSameSiteMode() http.SameSite
 }

driver/configuration/provider_viper.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"net/url"
 	"runtime"
 	"time"
@@ -53,6 +54,8 @@ const (
 
 	ViperKeyLifespanSession = "ttl.session"
 
+	ViperKeySessionSameSite = "security.session.cookie.same_site"
+
 	ViperKeySelfServiceStrategyConfig                = "selfservice.strategies"
 	ViperKeySelfServiceRegistrationBeforeConfig      = "selfservice.registration.before"
 	ViperKeySelfServiceRegistrationAfterConfig       = "selfservice.registration.after"
@@ -370,3 +373,15 @@ func (p *ViperProvider) SelfServiceVerificationReturnTo() *url.URL {
 func (p *ViperProvider) SelfServicePrivilegedSessionMaxAge() time.Duration {
 	return viperx.GetDuration(p.l, ViperKeySelfServicePrivilegedAuthenticationAfter, time.Hour)
 }
+
+func (p *ViperProvider) SessionSameSiteMode() http.SameSite {
+	switch viperx.GetString(p.l, ViperKeySessionSameSite, "Lax") {
+	case "Lax":
+		return http.SameSiteLaxMode
+	case "Strict":
+		return http.SameSiteStrictMode
+	case "None":
+		return http.SameSiteNoneMode
+	}
+	return http.SameSiteDefaultMode
+}

driver/registry_default.go

@@ -69,7 +69,7 @@ type RegistryDefault struct {
 	schemaHandler *schema.Handler
 
 	sessionHandler *session.Handler
-	sessionsStore  sessions.Store
+	sessionsStore  *sessions.CookieStore
 	sessionManager session.Manager
 
 	passwordHasher    password2.Hasher
@@ -279,6 +279,7 @@ func (m *RegistryDefault) CookieManager() sessions.Store {
 		cs.Options.HttpOnly = true
 		m.sessionsStore = cs
 	}
+	m.sessionsStore.Options.SameSite = m.c.SessionSameSiteMode()
 	return m.sessionsStore
 }