Consider `SameSite=Lax` as a new default

[mrkishi]

For some reason, we've seen an influx of questions about how to properly handle user session after an OAuth login with SvelteKit. While this isn't exclusive to svelte-kit-cookie-session, your users are also unknowingly affected because of the SameSite=Strict default.

The issue with SameSite=Strict is that it is too restrictive for the vast majority of use-cases. It prevents browsers from sending cookies on all requests that originated from a third-party domain, even if indirectly. This is the case for OAuth logins: third-party services usually issue 302 redirects to your callback endpoints where you're likely to further redirect the user to a specific page—but since the redirect chain originated outside your domain, the browser will not send the cookies upon arrival at the target page.

While it does provide more security than Lax, its usefulness is dubious for most people. With Strict, if a third-party domain even links to your site with a vanilla <a href="https://www.yoursite.com">Your site</a> anchor, your users will be logged out when navigating through those links as the cookies will be blocked.

Please, consider switching to SameSite=Lax by default as it enables most of the safety guards while not breaking common use-cases.

[pixelmund]

Hey @mrkishi Thanks for reporting this, i think it makes absolutely sense to make Lax the default. I'll try to get a new version out very soon!

[pixelmund]

This is now the default in v2.1.4