Security/Auth Cookie storage can't set SameSite to Strict
- jeremy
- Member | 54
Hi, I found possibly a bug where neither
security:
authentication:
storage: cookie
cookieSamesite: Strict
nor
$user->getStorage()->setCookieParameters('name', NULL, 'Strict');
actually sets the cookie to Strict.
I traced it back to this part of Nette:
/** @var string */
private $cookieSameSite = 'Lax';
...
public function saveAuthentication(IIdentity $identity): void
{
$uid = (string) $identity->getId();
if (strlen($uid) < self::MIN_LENGTH) {
throw new \LogicException('UID is too short.');
}
$this->response->setCookie(
$this->cookieName,
$uid,
$this->cookieExpiration,
null,
$this->cookieDomain
);
}
As you can see, the cookieSameSite property isn't used at all when creating the auth cookie.
- David Grudl
- Nette Core | 8199
Fixed.
But setting cookieSamesite: Strict
doesn't seem like a good idea
to me, the site will behave strangely from the users point of view.