https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- But what's the use case for a Koha staff user changing the SameSite value for a cookie? Due to deep linking (e.g. linking to a search result page and visiting it as an authenticated user), I can't think of a case off the top of my head that shoulnd't be SameSite=Lax. With SameSite=None, we'd be letting any site send that cookie. I can't see any reason to do that. We wouldn't be creating tracking cookies, and I don't know why we'd let another site send a cookie to Koha via a background call. SameSite=Strict sounds good in theory for internal cookie usage, but - due to that deep linking I mentioned - every cookie I can think of should be sendable when externally navigating to the site. That said, I'd be willing to test this theory to try to prove it wrong. I have a feeling that using SameSite=Strict would break a lot of Koha functionality when navigating directly to a page (like search results), but I'm happy to be proven wrong. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.