Use samesite lax for portal cookies

YunoHost · Feb 22, 2025 · 318c96a · 318c96a
1 parent f84d092
commit 318c96a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/authenticators/ldap_ynhuser.py b/src/authenticators/ldap_ynhuser.py
@@ -278,7 +278,7 @@ def set_session_cookie(self, infos):
             secure=True,
             httponly=True,
             path="/",
-            samesite="strict" if not is_dev else None,
+            samesite="lax" if not is_dev else None,
             domain=f".{request.get_header('host')}",
             max_age=SESSION_VALIDITY
             - 600,  # remove 1 minute such that cookie expires on the browser slightly sooner on browser side, just to help desimbuigate edge case near the expiration limit
@@ -331,7 +331,7 @@ def get_session_cookie(self, decrypt_pwd=False):
             secure=True,
             httponly=True,
             path="/",
-            samesite="strict" if not is_dev else None,
+            samesite="lax" if not is_dev else None,
             domain=f".{request.get_header('host')}",
             max_age=SESSION_VALIDITY
             - 600,  # remove 1 minute such that cookie expires on the browser slightly sooner on browser side, just to help desimbuigate edge case near the expiration limit