Uploaded image for project: 'Barebones Tomcat Bundle'
  1. Barebones Tomcat Bundle
  2. MGNLTOMCAT-19

Set sameSiteCookies policy to Lax by default

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Neutral
    • 1.2.5
    • None
    • None

    Description

      In MGNLTOMCAT-15, we set sameSiteCookies to Strict. The problem was with *not* setting any value for it previously, which would treat the value as "None". In modern browsers, None means everything is permitted, less-secure, whereas older clients would interprete it as "just ignore those", which is effectively the more secure thing to do.

      In spite of HELPDESK-1541, we concluded to relax this setting to Lax. Lax should support OpenID's top-level redirects well, while maintaining decent protection against CSRF.

      More background at https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                mmichel Maxime Michel
                mgeljic Mikaël Geljić
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD