From 5b90f0a97b1f49b19d395ffe2cf14dda12d87fc9 Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Sat, 26 Feb 2022 14:01:08 -0800 Subject: [PATCH] set SameSite to Lax on session cookies --- lib/authenticator.js | 6 ++++-- lib/session-manager.js | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/authenticator.js b/lib/authenticator.js index c388ee8..0c0c349 100644 --- a/lib/authenticator.js +++ b/lib/authenticator.js @@ -266,8 +266,9 @@ class Authenticator { const cookieParts = [ sessionCookie, 'HttpOnly', - `Path=${this.options.dingus.proxyPrefix}/`, `Max-Age=${this.cookieLifespan}`, + 'SameSite=Lax', + `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { cookieParts.push('Secure'); @@ -282,6 +283,7 @@ class Authenticator { `${Enum.SessionCookie}=""`, 'HttpOnly', 'Max-Age=0', + 'SameSite=Lax', `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { @@ -385,4 +387,4 @@ class Authenticator { } -module.exports = Authenticator; \ No newline at end of file +module.exports = Authenticator; diff --git a/lib/session-manager.js b/lib/session-manager.js index a97a0e0..bd08eef 100644 --- a/lib/session-manager.js +++ b/lib/session-manager.js @@ -51,6 +51,7 @@ class SessionManager { const cookieParts = [ `${cookieName}=${secureSession}`, 'HttpOnly', + 'SameSite=Lax', ]; if (this.options.authenticator.secureAuthOnly) { cookieParts.push('Secure'); @@ -345,4 +346,4 @@ class SessionManager { } -module.exports = SessionManager; \ No newline at end of file +module.exports = SessionManager; -- 2.45.2