From d90c44ccffa8c07ef91afb750a509f69f41b43bd Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Sat, 1 Jun 2019 18:04:50 +0200
Subject: Work around Safari violating the spec for SameSite=Lax cookies

This fixes users being logged out whenever following an external link to
travelynx in Safari (iOS/macOS)
---
 lib/Travelynx.pm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm
index e4dc5b4..76b4b7f 100755
--- a/lib/Travelynx.pm
+++ b/lib/Travelynx.pm
@@ -94,6 +94,21 @@ sub startup {
 	);
 	$self->sessions->default_expiration( 60 * 60 * 24 * 180 );
 
+	# Starting with v8.11, Mojolicious sends SameSite=Lax Cookies by default.
+	# In theory, "The default lax value provides a reasonable balance between
+	# security and usability for websites that want to maintain user's logged-in
+	# session after the user arrives from an external link". In practice,
+	# Safari (both iOS and macOS) does not send a SameSite=lax cookie when
+	# following a link from an external site. So, marudor.de providing a
+	# checkin link to travelynx.de/s/whatever does not work because the user
+	# is not logged in due to Safari not sending the cookie.
+	#
+	# This looks a lot like a Safari bug, but we can't do anything about it. So
+	# we don't set the SameSite flag at all for now.
+	#
+	# --derf, 2019-05-01
+	$self->sessions->samesite(undef);
+
 	$self->defaults( layout => 'default' );
 
 	$self->hook(
-- 
cgit v1.2.3