From 5b90f0a97b1f49b19d395ffe2cf14dda12d87fc9 Mon Sep 17 00:00:00 2001
From: Justin Wind <justin.wind+git@gmail.com>
Date: Sat, 26 Feb 2022 14:01:08 -0800
Subject: [PATCH] set SameSite to Lax on session cookies

---
 lib/authenticator.js   | 6 ++++--
 lib/session-manager.js | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/authenticator.js b/lib/authenticator.js
index c388ee8..0c0c349 100644
--- a/lib/authenticator.js
+++ b/lib/authenticator.js
@@ -266,8 +266,9 @@ class Authenticator {
       const cookieParts = [
         sessionCookie,
         'HttpOnly',
-        `Path=${this.options.dingus.proxyPrefix}/`,
         `Max-Age=${this.cookieLifespan}`,
+        'SameSite=Lax',
+        `Path=${this.options.dingus.proxyPrefix}/`,
       ];
       if (this.options.authenticator.secureAuthOnly) {
         cookieParts.push('Secure');
@@ -282,6 +283,7 @@ class Authenticator {
         `${Enum.SessionCookie}=""`,
         'HttpOnly',
         'Max-Age=0',
+        'SameSite=Lax',
         `Path=${this.options.dingus.proxyPrefix}/`,
       ];
       if (this.options.authenticator.secureAuthOnly) {
@@ -385,4 +387,4 @@ class Authenticator {
 
 }
 
-module.exports = Authenticator;
\ No newline at end of file
+module.exports = Authenticator;
diff --git a/lib/session-manager.js b/lib/session-manager.js
index a97a0e0..bd08eef 100644
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -51,6 +51,7 @@ class SessionManager {
     const cookieParts = [
       `${cookieName}=${secureSession}`,
       'HttpOnly',
+      'SameSite=Lax',
     ];
     if (this.options.authenticator.secureAuthOnly) {
       cookieParts.push('Secure');
@@ -345,4 +346,4 @@ class SessionManager {
 
 }
 
-module.exports = SessionManager;
\ No newline at end of file
+module.exports = SessionManager;
-- 
2.43.2