Skip to content

Commit

Permalink
Set cookie same site protection to nil
Browse files Browse the repository at this point in the history 
This is an attempt to fix an issue we're seeing where signing in with
Omniauth isn't working in Safari. Setting this value to `nil` (which
means the `SameSite` attribute is left unset) should in theory be the
same as setting to to `lax` (which means the `SameSet` attribute is set
to `Lax`), however it seems like Safari treats these differently:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax

omniauth/omniauth-oauth2#155 (comment)
  • Loading branch information
@thomasleese
thomasleese committed Jul 31, 2023
1 parent e6d92d7 commit 24a1caf
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions config/initializers/session_store.rb
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
Rails.application.config.action_dispatch.cookies_same_site_protection = nil

Check failure

Code scanning / CodeQL

Weak cookie configuration High

Unsetting 'SameSite' can disable same-site cookie restrictions in some browsers.

Rails.application.config.session_store :active_record_store,
key: "_session_id",
secure: Rails.env.production?,
Expand Down

0 comments on commit 24a1caf

Please sign in to comment.