use SameSite=Strict (for #26)

I initially chose SameSite=Lax because I thought if a user followed a link to the landing page, the landing page's ajax requests wouldn't send the cookie. But I just did an experiment, and that's not true. Only the initial page load (of a .html file) lacks the cookie. All of its resources and ajax requests send the cookie. I'm not sure about document.cookie accesses, but my cookie is HttpOnly anyway, so it's irrelevant. So no reason to be lax.
scottlamb · Dec 2, 2018 · 3c1163d · 3c1163d
1 parent 3f76096
commit 3c1163d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/db/auth.rs b/db/auth.rs
@@ -190,6 +190,7 @@ pub enum SessionFlags {
     HttpOnly = 1,
     Secure = 2,
     SameSite = 4,
+    SameSiteStrict = 8,
 }
 
 #[derive(Copy, Clone)]

diff --git a/src/web.rs b/src/web.rs
@@ -532,14 +532,15 @@ impl ServiceInner {
         let is_secure = self.is_secure(req);
         let flags = (auth::SessionFlags::HttpOnly as i32) |
                     (auth::SessionFlags::SameSite as i32) |
+                    (auth::SessionFlags::SameSiteStrict as i32) |
                     if is_secure { (auth::SessionFlags::Secure as i32) } else { 0 };
         let (sid, _) = l.login_by_password(authreq, &username, password.into_owned(), domain,
             flags)
             .map_err(|e| plain_response(StatusCode::UNAUTHORIZED, e.to_string()))?;
         let s_suffix = if is_secure {
-            "; HttpOnly; Secure; SameSite=Lax; Max-Age=2147483648; Path=/"
+            "; HttpOnly; Secure; SameSite=Strict; Max-Age=2147483648; Path=/"
         } else {
-            "; HttpOnly; SameSite=Lax; Max-Age=2147483648; Path=/"
+            "; HttpOnly; SameSite=Strict; Max-Age=2147483648; Path=/"
         };
         let mut encoded = [0u8; 64];
         base64::encode_config_slice(&sid, base64::STANDARD_NO_PAD, &mut encoded);