- Issue created by @matoeil
- πΊπΈUnited States cilefen
Is it this? β¨ One-time login links broken in Gmail/Outlook Postponed: needs info
- Status changed to Postponed: needs info
4 months ago 1:34pm 12 February 2024 - πΊπΈUnited States cilefen
Please confirm whether you have
samesite: strictset on session cookies. - πΊπΈUnited States cilefen
Here is another one: π¬ When external link has a referrer, /user/login?destination= shows login screen when logged in Closed: works as designed .
- π«π·France matoeil
the parameters was not there in the services.yml
it should be lax by default.Anyway , adding
parameters: session.storage.options: # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set, # this value will override the server value. See # https://www.php.net/manual/en/session.security.ini.php for more # information. # @default no value cookie_samesite: Laxseems indeed to fix it
- π«π·France matoeil
is it safe to put lax then regarding CSRF vulnerabilities ?
- Status changed to Active
4 months ago 8:34am 14 February 2024 - Status changed to Closed: duplicate
4 months ago 12:11pm 14 February 2024 - πΊπΈUnited States cilefen
You may have βstrictβ set in php.ini. Anyway, the setting is your decision: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#sam...