Open Venefilyn opened 4 years ago
@SpyTec Would this resolve the issue? https://github.com/SohoHouse/nuxt-oauth/pull/63
@hamishhossack I believe it would. client-sessions
doesn't support sameSite: none
though, so if this is made user-configurable with client-sessions
it needs to have a note about none being unsupported.
client-sessions
had their last release 3 years ago on NPM. So I'd still advocate for replacing client-sessions
@SpyTec After some discussion we decided that we want to keep encrypted cookies. We can look at another lib if this also meets these standards.
client-sessions doesn't support sameSite: none though, so if this is made user-configurable with client-sessions it needs to have a note about none being unsupported.
Agreed.
@SpyTec @samtgarson https://www.npmjs.com/package/iron-session
Not adopted by many yet, but a good approach.
client-sessions
dependency seems largely ignored and unmaintained. Is there a different dependency that can be used instead?One of the reasons for this is that major browsers will soon ignore cookies with
SameSite=None
and unset Secure attribute.Luckily, it was pushed off in Chrome to a later release. But it seems to me that it will still happen in Firefox relatively soon.