Fossil SCM
Omit the SameSite=strict specifier for the login cookie, since that prevents users from clicking a hyperlink on an email notification and then going directly to the relevant page and getting logged in.
Commit
fc5b49e99083ac7e2762560a28e319eff46cbc9acc6087d07d7ad1819220e074
Parent
bc643c32f83424b…
1 file changed
+2
-3
+2
-3
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -314,16 +314,15 @@ | ||
| 314 | 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | 315 | zSecure = " secure;"; |
| 316 | 316 | } |
| 317 | 317 | if( lifetime!=0 ){ |
| 318 | 318 | blob_appendf(&extraHeader, |
| 319 | - "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; SameSite=strict;" | |
| 320 | - " %s\r\n", | |
| 319 | + "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; %s\r\n", | |
| 321 | 320 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 322 | 321 | }else{ |
| 323 | 322 | blob_appendf(&extraHeader, |
| 324 | - "Set-Cookie: %s=%t; Path=%s; HttpOnly; SameSite=strict; %s\r\n", | |
| 323 | + "Set-Cookie: %s=%t; Path=%s; HttpOnly; %s\r\n", | |
| 325 | 324 | zName, zValue, zPath, zSecure); |
| 326 | 325 | } |
| 327 | 326 | } |
| 328 | 327 | |
| 329 | 328 | |
| 330 | 329 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -314,16 +314,15 @@ | |
| 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | zSecure = " secure;"; |
| 316 | } |
| 317 | if( lifetime!=0 ){ |
| 318 | blob_appendf(&extraHeader, |
| 319 | "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; SameSite=strict;" |
| 320 | " %s\r\n", |
| 321 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 322 | }else{ |
| 323 | blob_appendf(&extraHeader, |
| 324 | "Set-Cookie: %s=%t; Path=%s; HttpOnly; SameSite=strict; %s\r\n", |
| 325 | zName, zValue, zPath, zSecure); |
| 326 | } |
| 327 | } |
| 328 | |
| 329 | |
| 330 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -314,16 +314,15 @@ | |
| 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | zSecure = " secure;"; |
| 316 | } |
| 317 | if( lifetime!=0 ){ |
| 318 | blob_appendf(&extraHeader, |
| 319 | "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; %s\r\n", |
| 320 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 321 | }else{ |
| 322 | blob_appendf(&extraHeader, |
| 323 | "Set-Cookie: %s=%t; Path=%s; HttpOnly; %s\r\n", |
| 324 | zName, zValue, zPath, zSecure); |
| 325 | } |
| 326 | } |
| 327 | |
| 328 | |
| 329 |