diff options
author | Daniel Friesel <derf@finalrewind.org> | 2019-06-01 18:04:50 +0200 |
---|---|---|
committer | Daniel Friesel <derf@finalrewind.org> | 2019-06-01 18:04:50 +0200 |
commit | d90c44ccffa8c07ef91afb750a509f69f41b43bd (patch) | |
tree | cfcf389643432a4088e7da5a24451454d380d1bd | |
parent | f355a8d95e4511687df70a91fea079380b234040 (diff) |
Work around Safari violating the spec for SameSite=Lax cookies1.7.2
This fixes users being logged out whenever following an external link to
travelynx in Safari (iOS/macOS)
-rwxr-xr-x | lib/Travelynx.pm | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm index e4dc5b4..76b4b7f 100755 --- a/lib/Travelynx.pm +++ b/lib/Travelynx.pm @@ -94,6 +94,21 @@ sub startup { ); $self->sessions->default_expiration( 60 * 60 * 24 * 180 ); + # Starting with v8.11, Mojolicious sends SameSite=Lax Cookies by default. + # In theory, "The default lax value provides a reasonable balance between + # security and usability for websites that want to maintain user's logged-in + # session after the user arrives from an external link". In practice, + # Safari (both iOS and macOS) does not send a SameSite=lax cookie when + # following a link from an external site. So, marudor.de providing a + # checkin link to travelynx.de/s/whatever does not work because the user + # is not logged in due to Safari not sending the cookie. + # + # This looks a lot like a Safari bug, but we can't do anything about it. So + # we don't set the SameSite flag at all for now. + # + # --derf, 2019-05-01 + $self->sessions->samesite(undef); + $self->defaults( layout => 'default' ); $self->hook( |