[frontend] Set session cookies SameSite attribute to Lax (ISH-381)

2024-06-21 21:49:03 +02:00 · 2024-06-21 21:49:03 +02:00 · e8ecee4c76
commit e8ecee4c76
parent 8b61186449
1 changed files with 4 additions and 4 deletions
--- a/Iceshrimp.Frontend/Core/Services/SessionService.cs
+++ b/Iceshrimp.Frontend/Core/Services/SessionService.cs
@ -63,24 +63,24 @@ internal class SessionService
        Current = null;
        LocalStorage.RemoveItem("last_user");
        ((IJSInProcessRuntime)Js).InvokeVoid("eval",
-                                             $"document.cookie = \"admin_session=; Fri, 31 Dec 1000 23:59:59 GMT SameSite=Strict\"");
+                                             $"document.cookie = \"admin_session= ; Fri, 31 Dec 1000 23:59:59 GMT SameSite=Lax\"");
    }

    public void SetSession(string id)
    {
        ((IJSInProcessRuntime)Js).InvokeVoid("eval",
-                                             $"document.cookie = \"admin_session=; expires=Fri, 31 Dec 1000 23:59:59 GMT SameSite=Strict\"");
+                                             $"document.cookie = \"admin_session= ; expires=Fri, 31 Dec 1000 23:59:59 GMT SameSite=Lax\"");
        var user = GetUserById(id);
        if (user == null) throw new Exception("Did not find User in Local Storage");
        ApiService.SetBearerToken(user.Token);
        Current = user;
        LocalStorage.SetItem("last_user", user.Id);
        ((IJSInProcessRuntime)Js).InvokeVoid("eval",
-                                             $"document.cookie = \"session={user.Id}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Strict\"");
+                                             $"document.cookie = \"session={user.Id}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Lax\"");
        if (user.IsAdmin)
        {
            ((IJSInProcessRuntime)Js).InvokeVoid("eval",
-                                                 $"document.cookie = \"admin_session={user.Token}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Strict\"");
+                                                 $"document.cookie = \"admin_session={user.Token}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Lax\"");
        }
        // Security implications of this need a second pass? user.Id should never be user controllable, but still.
    }