[Koha-bugs] [Bug 26019] Koha should set SameSite attribute on cookies
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Aug 7 01:17:17 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019
--- Comment #6 from David Cook <dcook at prosentient.com.au> ---
But what's the use case for a Koha staff user changing the SameSite value for a
cookie?
Due to deep linking (e.g. linking to a search result page and visiting it as an
authenticated user), I can't think of a case off the top of my head that
shoulnd't be SameSite=Lax.
With SameSite=None, we'd be letting any site send that cookie. I can't see any
reason to do that. We wouldn't be creating tracking cookies, and I don't know
why we'd let another site send a cookie to Koha via a background call.
SameSite=Strict sounds good in theory for internal cookie usage, but - due to
that deep linking I mentioned - every cookie I can think of should be sendable
when externally navigating to the site. That said, I'd be willing to test this
theory to try to prove it wrong. I have a feeling that using SameSite=Strict
would break a lot of Koha functionality when navigating directly to a page
(like search results), but I'm happy to be proven wrong.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list