summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2019-06-01 18:04:50 +0200
committerDaniel Friesel <derf@finalrewind.org>2019-06-01 18:04:50 +0200
commitd90c44ccffa8c07ef91afb750a509f69f41b43bd (patch)
treecfcf389643432a4088e7da5a24451454d380d1bd
parentf355a8d95e4511687df70a91fea079380b234040 (diff)
Work around Safari violating the spec for SameSite=Lax cookies1.7.2
This fixes users being logged out whenever following an external link to travelynx in Safari (iOS/macOS)
-rwxr-xr-xlib/Travelynx.pm15
1 files changed, 15 insertions, 0 deletions
diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm
index e4dc5b4..76b4b7f 100755
--- a/lib/Travelynx.pm
+++ b/lib/Travelynx.pm
@@ -94,6 +94,21 @@ sub startup {
);
$self->sessions->default_expiration( 60 * 60 * 24 * 180 );
+ # Starting with v8.11, Mojolicious sends SameSite=Lax Cookies by default.
+ # In theory, "The default lax value provides a reasonable balance between
+ # security and usability for websites that want to maintain user's logged-in
+ # session after the user arrives from an external link". In practice,
+ # Safari (both iOS and macOS) does not send a SameSite=lax cookie when
+ # following a link from an external site. So, marudor.de providing a
+ # checkin link to travelynx.de/s/whatever does not work because the user
+ # is not logged in due to Safari not sending the cookie.
+ #
+ # This looks a lot like a Safari bug, but we can't do anything about it. So
+ # we don't set the SameSite flag at all for now.
+ #
+ # --derf, 2019-05-01
+ $self->sessions->samesite(undef);
+
$self->defaults( layout => 'default' );
$self->hook(