From a33c8e9dac063c086ac40ea18565375d6fa5029f Mon Sep 17 00:00:00 2001
From: Hornwitser <code@hornwitser.no>
Date: Wed, 9 Jul 2025 15:35:17 +0200
Subject: [PATCH] Use SameSite Lax for session cookie

When a user browses to a page from another site, for example via a
shared link we want the browser to send the session cookie so that
the page renders as the user and not confusingly being logged out.

This may cause CSRF vulenrabilities, later work to add CSRF tokens
should be considered.
---
 server/utils/signed-cookie.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/utils/signed-cookie.ts b/server/utils/signed-cookie.ts
index b7c4129..88b9687 100644
--- a/server/utils/signed-cookie.ts
+++ b/server/utils/signed-cookie.ts
@@ -25,7 +25,7 @@ export async function setSignedCookie(event: H3Event, name: string, value: strin
 	const secret = await useCookieSecret(event);
 	const signature = await crypto.subtle.sign("HMAC", secret, Buffer.from(`${name}=${value}`));
 	const cookie = `${value}.${Buffer.from(signature).toString("base64url")}`
-	setCookie(event, name, cookie, { httpOnly: true, secure: true, sameSite: true, maxAge });
+	setCookie(event, name, cookie, { httpOnly: true, secure: true, sameSite: "lax", maxAge });
 }
 
 export async function getSignedCookie(event: H3Event, name: string) {