public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Use SameSite Lax for session cookie

Browse source 
When a user browses to a page from another site, for example via a
shared link we want the browser to send the session cookie so that
the page renders as the user and not confusingly being logged out.

This may cause CSRF vulenrabilities, later work to add CSRF tokens
should be considered.
This commit is contained in:
Hornwitser 2025-07-09 15:35:17 +02:00
parent aaa2faffb1
commit a33c8e9dac
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
server/utils/signed-cookie.ts
View file

@ -25,7 +25,7 @@ export async function setSignedCookie(event: H3Event, name: string, value: strin
const secret = await useCookieSecret(event);
const signature = await crypto.subtle.sign("HMAC", secret, Buffer.from(`${name}=${value}`));
const cookie = `${value}.${Buffer.from(signature).toString("base64url")}`
setCookie(event, name, cookie, { httpOnly: true, secure: true, sameSite: true, maxAge });
setCookie(event, name, cookie, { httpOnly: true, secure: true, sameSite: "lax", maxAge });
}
export async function getSignedCookie(event: H3Event, name: string) {