Expand session cookie configuration
Closed this issue · 3 comments
It appears that the default of SameSite=Strict results in cookies that are sent as part of a redirection response (either 303 or 302) not being retained or sent by the browser afterwards; setting SameSite=Lax yields expected behavior. (There are some other workarounds described in https://stackoverflow.com/questions/42216700, FWIW.)
It seems reasonable to suspect that there are a variety of contexts where the various session implementations using Cookie.set_cookie's defaults will be inappropriate. Rather than suggest a narrow addition of SameSite configurability to address the above specific issue, maybe it is more reasonable to expose all of set_cookie's options via each of the session middlewares?
(Maybe this is just another bullet point for #13.)
Exposing the set_cookie options seems reasonable. I am a little scared of having every session middleware have a lot of options, but it does seem like these things should be readily configurable.
A solution to work around the issue is to redirect with a 200 which can be done like so:
let redirect_200 url =
let html =
Printf.sprintf
{|<html><head><meta http-equiv="refresh" content="0;URL='%s'"/></head><body><p>Moved to <a href="%s">%s</a>.</p></body></html>|}
url url url
in
Dream.html htmlThis worked for my OIDC scenario at least, not sure if it's too hacky or not, but at least it works.
The above commit changes the default for Dream's cookies from SameSite=Strict to SameSite=Lax. It has been pointed out to me by @andreypopp, and I further confirmed, that Lax is the right default for all cookies.
I think that solves the underlying issue here. Please comment, though, if you think the session middleware does need more configuration options for any other reason!