Set SameSite option on session cookies

Question

alex opened this issue 7 years ago · 2 comments

Currently supported in Firefox and Chromium; it provides strong defense in depth against CSRF.

Answer 1 · 2018-05-14T13:02:08.000Z

Assuming there's interest, I'm happy to add support.

Answer 2 · 2018-05-14T19:09:14.000Z

That sounds like a very good idea.

I think a proposed implementation should act in "Lax" mode and support a way to disable it / switch to Safe.

If you are willing to provide a PR I'll gladly review and merge it.