From d90c44ccffa8c07ef91afb750a509f69f41b43bd Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Sat, 1 Jun 2019 18:04:50 +0200 Subject: Work around Safari violating the spec for SameSite=Lax cookies This fixes users being logged out whenever following an external link to travelynx in Safari (iOS/macOS) --- lib/Travelynx.pm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/Travelynx.pm b/lib/Travelynx.pm index e4dc5b4..76b4b7f 100755 --- a/lib/Travelynx.pm +++ b/lib/Travelynx.pm @@ -94,6 +94,21 @@ sub startup { ); $self->sessions->default_expiration( 60 * 60 * 24 * 180 ); + # Starting with v8.11, Mojolicious sends SameSite=Lax Cookies by default. + # In theory, "The default lax value provides a reasonable balance between + # security and usability for websites that want to maintain user's logged-in + # session after the user arrives from an external link". In practice, + # Safari (both iOS and macOS) does not send a SameSite=lax cookie when + # following a link from an external site. So, marudor.de providing a + # checkin link to travelynx.de/s/whatever does not work because the user + # is not logged in due to Safari not sending the cookie. + # + # This looks a lot like a Safari bug, but we can't do anything about it. So + # we don't set the SameSite flag at all for now. + # + # --derf, 2019-05-01 + $self->sessions->samesite(undef); + $self->defaults( layout => 'default' ); $self->hook( -- cgit v1.2.3