Enable SameSite protection on remember me cookie

[mikl]

SameSite protection on cookies are rapidly becoming the standard for secure application, so much so that Firefox will be setting it by default soon. To make sure all users benefit from this protection against CSRF and other such attacks, setting SameSite: Lax on the remember_me cookie would be a good thing.

Be aware that this option was only added in Plug v1.10.1. Due to the way it is implemented, the same_site option simply does nothing if you have an older version of Plug, so it should be fine to add this to the generator, without requiring Plug v1.10.1.

[mikl]

As for setting SameSite to Lax, that setting is still better than no same-site protection, and setting it to Strict would mean that the remember_me cookie is not sent on the first request to the site, which is probably not the right choice for a remember me cookie.

See the aforelinked post from Mozilla for details on what the different SameSite values do.

[josevalim]

Thanks @mikl! My understanding is that browsers are moving to Lax as a default, so I would say we can just skip this option altogether. More info here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

[mikl]

Odds are that Lax will be the default in all browsers. But it will take years for the whole industry to migrate, especially for users of mobile devices that can’t upgrade their browsers, so I think it’s worth setting it explicitly, at least until it becomes truly universal. It’s a fairly small change on our side, and it rules out a lot of exploits.

[josevalim]

What is the percentage of browsers that support Lax and do not have Lax as a default? Last time I checked it was a very small subset.

[mikl]

Anyone using Chrome v51-80, Edge v16-80, Firefox v60 and onwards (Lax is not default in consumer builds yet), Opera v39-67 and Safari v12.2 and onwards (no Lax by default announced) would benefit from this.

Safari alone has a big market share, so it’s probably 20-30% of users right now, although I agree that will decline over time.

[josevalim]

That’s useful, thanks! Although I would expect all of those, except Safari, to be updated rather quickly. What about mobile devices? Do any of them support SameSite already?

[mikl]

Most mobile browsers are repackaged Chrome or Safari (Firefox Mobile exists, but is not common), so the same version ranges apply to them. That is, all iPhones (running iOS 12 and later), and most older Androids could benefit from an explicit SameSite=Lax declaration.