updated Plack/Middleware/Session/Cookie.pm attribute list to make SameSite=Lax appear #49
Description
First -- your software is awesome. Thank you.
I also apologize if this resulted from my misunderstanding. But to make SameSite=Lax appear in Set-Cookie, I updated lib/Plack/Middleware/Session/Cookie.pm like this:
5c5
< use Plack::Util::Accessor qw(secret session_key domain expires path secure httponly samesite
---
> use Plack::Util::Accessor qw(secret session_key domain expires path secure httponly
31c31
< for my $attr (qw(session_key path domain expires secure httponly samesite)) {
---
> for my $attr (qw(session_key path domain expires secure httponly)) {
144c144
< =item session_key, domain, expires, path, secure, httponly, samesite
---
> =item session_key, domain, expires, path, secure, httponlyBackground:
For security reasons our cookies must contain both SameSite and HttpOnly. I updated our .psgi like this:
enable 'Session::Cookie',
store => 'File',
secret => 'top-secret',
httponly => 1, # security
samesite => 'Lax', # requires bugfix
;However, only HttpOnly appeared in Set-Cookie:
Set-Cookie: plack_session=1679947687.28941%3ABQoDAAAAAQoUZDVhODVmMjNhMTQyMGU5Yzg0NDMAAAAKY3NyZl90b2tlbg%3D%3D%3Aed3d2d7ca08f109168b356aae8334d04b9619ffc; path=/; HttpOnly
I could not make the SameSite entry appear. I tried many permutations.
When I inspected Plack::Session::State::Cookie I realized that samesite was not listed alongside httponly. I addedsamesite everywhere, and voila, the flag immediately appeared!
Set-Cookie: plack_session=1679948062.33454%3ABQgDAAAAAQoUMzQ3MTU0NWUyZWZmNjUyYWJlZTIAAAAKY3NyZl90b2tlbg%3D%3D%3A2a82445e6fe462efebcf4b429b357bc279f5eb1b; path=/; SameSite=Lax; HttpOnly
Once again, I apologize if I misunderstood something here.
Have a great day, and thanks again for some amazing modules.