gorilla / sessions

Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
https://gorilla.github.io
BSD 3-Clause "New" or "Revised" License
2.93k stars 371 forks source link

SameSite is not set in the default path #256

Closed martinlindhe closed 5 months ago

martinlindhe commented 2 years ago

The SameSite patch in #165 and #170 forgot to initialize SameSite to a value in the default path.

I think the intent was to initialize it to http.SameSiteDefaultMode.

Currently this results in the following error in Firefox Developer Tools

Cookie “id” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

bharat-rajani commented 6 months ago

@martinlindhe The http.SameSiteDefaultMode would still result in cookie being dropped because default mode will not add SameSite.

I am leaning towards defaulting SameSite to http.SameSiteLaxMode inside cookie store initializer (NewCookieStore). Along with this it should be clearly documented through an example that this option is configurable.

References for my above opinions:

Expired draft: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1 Currenty active: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1