important "sameSite" attribute missing

Question

important "sameSite" attribute missing

artofspeed opened this issue 5 years ago · comments

An extremely important attribute, "SameSite", is missing.

Set-Cookie: foo=bar; SameSite=Strict
Set-Cookie: foo=bar; SameSite=Lax

It allows servers to assert that a cookie ought not to be sent along with cross-site requests, which provides some protection against cross-site request forgery attacks (CSRF).

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Shouldn't we add it? Thanks.

erictooth · Answer 1 · Fri Jun 21 2019 09:23:11 GMT+0800 (China Standard Time)

I came here looking for the same thing — I found that although it's not documented, opts are passed through directly to where the cookie is created. So you can simply add sameSite: "lax" (or strict, etc.) and it will be applied to the cookie.

const app = new Koa();
const session = require("koa-session");
app.use(session({ sameSite: "lax" }, app));

老王 Willin (v0) · Answer 2 · Thu Oct 17 2019 19:49:37 GMT+0800 (China Standard Time)

@dead-horse please update cookies package.

'coz

now is:

var sameSiteRegExp = /^(?:lax|strict)$/i

only the latest version add none option

Yiyu He · Answer 3 · Thu Oct 17 2019 19:54:17 GMT+0800 (China Standard Time)

please update koa to the latest version.

Oscar Quinteros · Answer 4 · Sat Sep 24 2022 22:59:24 GMT+0800 (China Standard Time)

I came here looking for the same thing — I found that although it's not documented, opts are passed through directly to where the cookie is created. So you can simply add sameSite: "lax" (or strict, etc.) and it will be applied to the cookie.
const app = new Koa();
const session = require("koa-session");
app.use(session({ sameSite: "lax" }, app));

Question for you: After setting the above app.use(session(options, app)) when a user logs in all I need to do is to set the cookie with out the need to add all the options again?