Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicitly set the session cookie to SameSite=Lax #50097

Merged
merged 1 commit into from
Dec 11, 2024
Merged

Explicitly set the session cookie to SameSite=Lax #50097

merged 1 commit into from
Dec 11, 2024

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Dec 11, 2024

Prior to this change, we were not explicitly setting the SameSite mode for our session cookie, which leaves the behavior up to the browser.

Chromium-based browsers have been defaulting to SameSite=Lax since Chrome 80 in February 2020, so this is not a behavior change but rather locking in today's behavior and being explicit about it.

Note that this is for Teleport's session cookie only. App session cookies remain using SameSite=None because the proxied app may itself be using SSO, and we need the app session cookie to make its way through SSO redirects.

@github-actions github-actions bot requested a review from codingllama December 11, 2024 20:47
@github-actions github-actions bot requested a review from kopiczko December 11, 2024 20:47
@zmb3 zmb3 requested a review from avatus December 11, 2024 21:38
@zmb3
Explicitly set the session cookie to SameSite=Lax
5f59760 
Prior to this change, we were not explicitly setting the SameSite
mode for our session cookie, which leaves the behavior up to the
browser.

Chromium-based browsers have been defaulting to SameSite=Lax since
Chrome 80 in February 2020, so this is not a behavior change but
rather locking in today's behavior and being explicit about it.

Note that this is for Teleport's session cookie only. App session
cookies remain using SameSite=None because the proxied app may
itself be using SSO, and we need the app session cookie to make
its way through SSO redirects.
@zmb3 zmb3 force-pushed the zmb3/explicit-same-site-session-cookie branch from b89f5b3 to 5f59760 Compare December 11, 2024 21:40
avatus
avatus approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@avatus avatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

everything works for me!

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from kopiczko December 11, 2024 21:43
@zmb3 zmb3 added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v16 backport/branch/v17 labels Dec 11, 2024
@zmb3 zmb3 enabled auto-merge December 11, 2024 22:07
@zmb3 zmb3 added this pull request to the merge queue Dec 11, 2024
Merged via the queue into master with commit 68ce475 Dec 11, 2024
43 of 44 checks passed
@zmb3 zmb3 deleted the zmb3/explicit-same-site-session-cookie branch December 11, 2024 22:34
@public-teleport-github-review-bot
Copy link

@zmb3 See the table below for backport results.

Branch Result
branch/v15 Create PR
branch/v16 Create PR
branch/v17 Create PR

This was referenced Dec 11, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codingllama codingllama codingllama approved these changes

@avatus avatus avatus approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zmb3 @avatus @codingllama