Set the cookie SameSite directive to Strict

[sandbergja]

Success criteria

• Lib Job's Set-Cookie response header includes "SameSite=Strict"

Rationale

This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154

Example PR

pulibrary/orangelight#3932

Tradeoff

If a user logs into lib jobs, navigates to a non-Princeton Web site (e.g. some documentation on Github), and then clicks a link from that Web site back to lib jobs, they will need to log in to lib jobs again.

Further reading

I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.