Set the cookie SameSite directive to Strict

[sandbergja]

Success criteria

• [ ] Recap's Set-Cookie response header includes "SameSite=Strict"
• [ ] This has no negative effects on logging in to Drupal and taking actions as a logged-in user

Rationale

This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of https://github.com/pulibrary/dacs_handbook/issues/154

Drupal 10 Documentation

• Change record

Tradeoff

If a user logs into Recap, navigates to a non-Princeton Web site (e.g. Outlook), and then clicks a link from that Web site back to Recap, they will need to log in to Recap again.

Further reading

I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.

[sandbergja]

Closing in favor of https://github.com/pulibrary/princeton_ansible/issues/4585