Same site cookies clarification


(Lee Strickland) #1

I am working on tightening every security nut and bolt I can down.
I’m looking at the setting called same site cookies. admin>settings>security>same site cookies
I only use the discourse system login, no social or other login.
I can’t find the answer to this by searching the terms I’m using so maybe I’m talking in the wrong terms here.
But can I turn this to strict?
I think so but I don’t wanna bork things by flipping a switch and invalidating all cookies that can even BE handed out or something crazy.
It is currently on lax and seems to be using same site cookies from what I can tell looking at cookies, which isn’t much.


(Kane York) #2

Here’s the MDN documentation to help understand what those mean:

RFC: draft-ietf-httpbis-cookie-same-site-00 - Same-Site Cookies

Based on Section 3.2, I suspect setting it to Strict would make it appear as if you were not logged in whenever you came from an external link.


(Lee Strickland) #3

Short answer: It is safe as long as you do not intend users to appear logged in coming from an external link

In practice, hyperlinks in email and other basic communications seem to still work and intended functionality was preserved. Thanks for help.


(Joshua Rosenfeld) #4

This topic was automatically closed after 33 hours. New replies are no longer allowed.