Details
-
Improvement
-
Resolution: Fixed
-
Neutral
-
None
-
None
Description
In MGNLTOMCAT-15, we set sameSiteCookies to Strict. The problem was with *not* setting any value for it previously, which would treat the value as "None". In modern browsers, None means everything is permitted, less-secure, whereas older clients would interprete it as "just ignore those", which is effectively the more secure thing to do.
In spite of HELPDESK-1541, we concluded to relax this setting to Lax. Lax should support OpenID's top-level redirects well, while maintaining decent protection against CSRF.
More background at https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/.
Checklists
Acceptance criteria