Set cookie same site protection to nil #1608

thomasleese · 2023-07-31T16:43:03Z

This is an attempt to fix an issue we're seeing where signing in with Omniauth isn't working in Safari. Setting this value to nil (which means the SameSite attribute is left unset) should in theory be the same as setting to to lax (which means the SameSet attribute is set to Lax), however it seems like Safari treats these differently:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax

omniauth/omniauth-oauth2#155 (comment)

Trello Card

This is an attempt to fix an issue we're seeing where signing in with Omniauth isn't working in Safari. Setting this value to `nil` (which means the `SameSite` attribute is left unset) should in theory be the same as setting to to `lax` (which means the `SameSet` attribute is set to `Lax`), however it seems like Safari treats these differently: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax omniauth/omniauth-oauth2#155 (comment)

config/initializers/session_store.rb

thomasleese requested a review from a team as a code owner July 31, 2023 16:43

github-advanced-security bot found potential problems Jul 31, 2023

View reviewed changes

config/initializers/session_store.rb Dismissed Show resolved Hide resolved

thomasleese enabled auto-merge July 31, 2023 16:53

richardpattinson approved these changes Aug 1, 2023

View reviewed changes

thomasleese merged commit 8679711 into main Aug 1, 2023
12 checks passed

thomasleese deleted the not-explicit-same-site-lax branch August 1, 2023 13:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Set cookie same site protection to nil #1608

Set cookie same site protection to nil #1608

thomasleese commented Jul 31, 2023

Set cookie same site protection to nil #1608

Set cookie same site protection to nil #1608

Conversation

thomasleese commented Jul 31, 2023