important "sameSite" attribute missing
artofspeed opened this issue · comments
An extremely important attribute, "SameSite", is missing.
Set-Cookie: foo=bar; SameSite=Strict
Set-Cookie: foo=bar; SameSite=Lax
It allows servers to assert that a cookie ought not to be sent along with cross-site requests, which provides some protection against cross-site request forgery attacks (CSRF).
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Shouldn't we add it? Thanks.
I came here looking for the same thing — I found that although it's not documented, opts
are passed through directly to where the cookie is created. So you can simply add sameSite: "lax"
(or strict, etc.) and it will be applied to the cookie.
const app = new Koa();
const session = require("koa-session");
app.use(session({ sameSite: "lax" }, app));
@dead-horse please update cookies package.
'coz
now is:
var sameSiteRegExp = /^(?:lax|strict)$/i
only the latest version add none
option
please update koa to the latest version.
I came here looking for the same thing — I found that although it's not documented,
opts
are passed through directly to where the cookie is created. So you can simply addsameSite: "lax"
(or strict, etc.) and it will be applied to the cookie.const app = new Koa(); const session = require("koa-session"); app.use(session({ sameSite: "lax" }, app));
Question for you: After setting the above app.use(session(options, app)) when a user logs in all I need to do is to set the cookie with out the need to add all the options again?