From e8ecee4c7649d1b1b7fad03b1ae08d1cde4d0402 Mon Sep 17 00:00:00 2001 From: Lilian Date: Fri, 21 Jun 2024 21:49:03 +0200 Subject: [PATCH] [frontend] Set session cookies SameSite attribute to Lax (ISH-381) --- Iceshrimp.Frontend/Core/Services/SessionService.cs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Iceshrimp.Frontend/Core/Services/SessionService.cs b/Iceshrimp.Frontend/Core/Services/SessionService.cs index c239a13f..92d0e274 100644 --- a/Iceshrimp.Frontend/Core/Services/SessionService.cs +++ b/Iceshrimp.Frontend/Core/Services/SessionService.cs @@ -63,24 +63,24 @@ internal class SessionService Current = null; LocalStorage.RemoveItem("last_user"); ((IJSInProcessRuntime)Js).InvokeVoid("eval", - $"document.cookie = \"admin_session=; Fri, 31 Dec 1000 23:59:59 GMT SameSite=Strict\""); + $"document.cookie = \"admin_session= ; Fri, 31 Dec 1000 23:59:59 GMT SameSite=Lax\""); } public void SetSession(string id) { ((IJSInProcessRuntime)Js).InvokeVoid("eval", - $"document.cookie = \"admin_session=; expires=Fri, 31 Dec 1000 23:59:59 GMT SameSite=Strict\""); + $"document.cookie = \"admin_session= ; expires=Fri, 31 Dec 1000 23:59:59 GMT SameSite=Lax\""); var user = GetUserById(id); if (user == null) throw new Exception("Did not find User in Local Storage"); ApiService.SetBearerToken(user.Token); Current = user; LocalStorage.SetItem("last_user", user.Id); ((IJSInProcessRuntime)Js).InvokeVoid("eval", - $"document.cookie = \"session={user.Id}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Strict\""); + $"document.cookie = \"session={user.Id}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Lax\""); if (user.IsAdmin) { ((IJSInProcessRuntime)Js).InvokeVoid("eval", - $"document.cookie = \"admin_session={user.Token}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Strict\""); + $"document.cookie = \"admin_session={user.Token}; expires=Fri, 31 Dec 9999 23:59:59 GMT; SameSite=Lax\""); } // Security implications of this need a second pass? user.Id should never be user controllable, but still. }