Security/Auth Cookie storage can't set SameSite to Strict

jeremy
Member | 54
+
0
-

Hi, I found possibly a bug where neither

	security:
		authentication:
			storage: cookie
			cookieSamesite: Strict

nor

	$user->getStorage()->setCookieParameters('name', NULL, 'Strict');

actually sets the cookie to Strict.

I traced it back to this part of Nette:

	/** @var string */
	private $cookieSameSite = 'Lax';

	...

	public function saveAuthentication(IIdentity $identity): void
	{
		$uid = (string) $identity->getId();
		if (strlen($uid) < self::MIN_LENGTH) {
			throw new \LogicException('UID is too short.');
		}
		$this->response->setCookie(
			$this->cookieName,
			$uid,
			$this->cookieExpiration,
			null,
			$this->cookieDomain
		);
	}

As you can see, the cookieSameSite property isn't used at all when creating the auth cookie.

David Grudl
Nette Core | 8199
+
+2
-

Fixed.

But setting cookieSamesite: Strict doesn't seem like a good idea to me, the site will behave strangely from the users point of view.

jeremy
Member | 54
+
0
-

Yes, you are right, I just thought it was worth mentioning considering the option for setting it that way is there.

Anyway, thanks!