edicl / hunchentoot

Web server written in Common Lisp
https://edicl.github.io/hunchentoot/
702 stars 125 forks source link

Misusing SameSite Attribute For Cookies #198

Open charJe opened 3 years ago

charJe commented 3 years ago
Cookie “test-cookie” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

set-cookie doesn't have a same-site option.

MichaelAnckaert commented 1 year ago

@charJe The current version on the master branch has this option. It seems the latest release (1.3.0 at time of writing - also the one in QuickLisp) lacks the option.

You can clone the git repository in your quicklisp/local-projects directory to use the up to date version.

jkcunningham commented 1 year ago

Cloning the git repo in quicklisp/local-projects indeed provides the needed SameSite attribute in the cookie object. However, there isn't any easy way to set it when a session starts. I've temporarily solved this problem by adding (defparameter default-cookie-same-site nil) above that function in session.lilsp and setting :same-site to default-cookie-same-site in the start-session set-cookie call. Doing this makes it transparent to other users and allows me to change that global parameter after I load hunchentoot.

But I'm going to have to do that everytime I update hunchentoot. It would be nice to get some control over this built in in the project itself.