From a72c6406f0d5ebaa89d67ed5177ee5eec21c24f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 17 Dec 2024 22:32:23 +0100 Subject: [PATCH] Use samesite lax for portal cookies --- src/authenticators/ldap_ynhuser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authenticators/ldap_ynhuser.py b/src/authenticators/ldap_ynhuser.py index 98c8547246..b80f640c93 100644 --- a/src/authenticators/ldap_ynhuser.py +++ b/src/authenticators/ldap_ynhuser.py @@ -252,7 +252,7 @@ def set_session_cookie(self, infos): secure=True, httponly=True, path="/", - samesite="strict" if not is_dev else None, + samesite="lax" if not is_dev else None, domain=f".{request.get_header('host')}", max_age=SESSION_VALIDITY - 600, # remove 1 minute such that cookie expires on the browser slightly sooner on browser side, just to help desimbuigate edge case near the expiration limit @@ -305,7 +305,7 @@ def get_session_cookie(self, decrypt_pwd=False): secure=True, httponly=True, path="/", - samesite="strict" if not is_dev else None, + samesite="lax" if not is_dev else None, domain=f".{request.get_header('host')}", max_age=SESSION_VALIDITY - 600, # remove 1 minute such that cookie expires on the browser slightly sooner on browser side, just to help desimbuigate edge case near the expiration limit