Replace client-sessions to avoid nuxt-oauth breaking

[Venefilyn]

client-sessions dependency seems largely ignored and unmaintained. Is there a different dependency that can be used instead?

One of the reasons for this is that major browsers will soon ignore cookies with SameSite=None and unset Secure attribute.

Cookie “nuxtSession” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Luckily, it was pushed off in Chrome to a later release. But it seems to me that it will still happen in Firefox relatively soon.

[hamishhossack]

@SpyTec Would this resolve the issue? https://github.com/SohoHouse/nuxt-oauth/pull/63

[Venefilyn]

@hamishhossack I believe it would. client-sessions doesn't support sameSite: none though, so if this is made user-configurable with client-sessions it needs to have a note about none being unsupported.

client-sessions had their last release 3 years ago on NPM. So I'd still advocate for replacing client-sessions

[hamishhossack]

@SpyTec After some discussion we decided that we want to keep encrypted cookies. We can look at another lib if this also meets these standards.

client-sessions doesn't support sameSite: none though, so if this is made user-configurable with client-sessions it needs to have a note about none being unsupported.

Agreed.

[hamishhossack]

@SpyTec @samtgarson https://www.npmjs.com/package/iron-session

Not adopted by many yet, but a good approach.