From f5d599e7d225fd2bc5ced234e172ce3ea8f6306f Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Tue, 10 May 2022 17:40:58 -0600 Subject: [PATCH] Use `lax` for session `SameSite` value (not `strict`) SESSION_COOKIE_SAMESITE must be set to 'lax' to allow the user's previous session to persist when accessing the instance from an external link. Setting this value to 'strict' causes Whoogle to revalidate a new session, and fail, resulting in cookies being disabled. This could be re-evaluated if Whoogle ever switches to client side configuration instead. Fixes #749 --- app/__init__.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/app/__init__.py b/app/__init__.py index ae8ac06..a49de61 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -26,10 +26,18 @@ if os.getenv('WHOOGLE_DOTENV', ''): load_dotenv(os.path.join(os.path.dirname(os.path.abspath(__file__)), dotenv_path)) +# Session values +# NOTE: SESSION_COOKIE_SAMESITE must be set to 'lax' to allow the user's +# previous session to persist when accessing the instance from an external +# link. Setting this value to 'strict' causes Whoogle to revalidate a new +# session, and fail, resulting in cookies being disabled. +# +# This could be re-evaluated if Whoogle ever switches to client side +# configuration instead. app.default_key = generate_user_key() app.config['SECRET_KEY'] = os.urandom(32) app.config['SESSION_TYPE'] = 'filesystem' -app.config['SESSION_COOKIE_SAMESITE'] = 'strict' +app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' if os.getenv('HTTPS_ONLY'): app.config['SESSION_COOKIE_NAME'] = '__Secure-session'