From: Justin Wind Date: Sat, 26 Feb 2022 22:01:08 +0000 (-0800) Subject: set SameSite to Lax on session cookies X-Git-Tag: v1.2.1~2 X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=5b90f0a97b1f49b19d395ffe2cf14dda12d87fc9;p=squeep-authentication-module set SameSite to Lax on session cookies --- diff --git a/lib/authenticator.js b/lib/authenticator.js index c388ee8..0c0c349 100644 --- a/lib/authenticator.js +++ b/lib/authenticator.js @@ -266,8 +266,9 @@ class Authenticator { const cookieParts = [ sessionCookie, 'HttpOnly', - `Path=${this.options.dingus.proxyPrefix}/`, `Max-Age=${this.cookieLifespan}`, + 'SameSite=Lax', + `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { cookieParts.push('Secure'); @@ -282,6 +283,7 @@ class Authenticator { `${Enum.SessionCookie}=""`, 'HttpOnly', 'Max-Age=0', + 'SameSite=Lax', `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { @@ -385,4 +387,4 @@ class Authenticator { } -module.exports = Authenticator; \ No newline at end of file +module.exports = Authenticator; diff --git a/lib/session-manager.js b/lib/session-manager.js index a97a0e0..bd08eef 100644 --- a/lib/session-manager.js +++ b/lib/session-manager.js @@ -51,6 +51,7 @@ class SessionManager { const cookieParts = [ `${cookieName}=${secureSession}`, 'HttpOnly', + 'SameSite=Lax', ]; if (this.options.authenticator.secureAuthOnly) { cookieParts.push('Secure'); @@ -345,4 +346,4 @@ class SessionManager { } -module.exports = SessionManager; \ No newline at end of file +module.exports = SessionManager;