For some reason, we've seen an influx of questions about how to properly handle user session after an OAuth login with SvelteKit. While this isn't exclusive to svelte-kit-cookie-session, your users are also unknowingly affected because of the SameSite=Strict default.
The issue with SameSite=Strict is that it is too restrictive for the vast majority of use-cases. It prevents browsers from sending cookies on all requests that originated from a third-party domain, even if indirectly. This is the case for OAuth logins: third-party services usually issue 302 redirects to your callback endpoints where you're likely to further redirect the user to a specific page—but since the redirect chain originated outside your domain, the browser will not send the cookies upon arrival at the target page.
While it does provide more security than Lax, its usefulness is dubious for most people. With Strict, if a third-party domain even links to your site with a vanilla <a href="https://www.yoursite.com">Your site</a> anchor, your users will be logged out when navigating through those links as the cookies will be blocked.
Please, consider switching to SameSite=Lax by default as it enables most of the safety guards while not breaking common use-cases.
For some reason, we've seen an influx of questions about how to properly handle user session after an OAuth login with SvelteKit. While this isn't exclusive to
svelte-kit-cookie-session
, your users are also unknowingly affected because of theSameSite=Strict
default.The issue with
SameSite=Strict
is that it is too restrictive for the vast majority of use-cases. It prevents browsers from sending cookies on all requests that originated from a third-party domain, even if indirectly. This is the case for OAuth logins: third-party services usually issue302
redirects to your callback endpoints where you're likely to further redirect the user to a specific page—but since the redirect chain originated outside your domain, the browser will not send the cookies upon arrival at the target page.While it does provide more security than
Lax
, its usefulness is dubious for most people. WithStrict
, if a third-party domain even links to your site with a vanilla<a href="https://www.yoursite.com">Your site</a>
anchor, your users will be logged out when navigating through those links as the cookies will be blocked.Please, consider switching to
SameSite=Lax
by default as it enables most of the safety guards while not breaking common use-cases.