From f17e58df294d4492ea0fc7d91677edee5b0e5af1 Mon Sep 17 00:00:00 2001
From: Wim Brand <wb@voclarion.nl>
Date: Wed, 19 Feb 2020 14:36:55 +0100
Subject: [PATCH] update auth cookie settings

---
 webcontroller/user_account.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/webcontroller/user_account.go b/webcontroller/user_account.go
index 227546d..b1ee23d 100644
--- a/webcontroller/user_account.go
+++ b/webcontroller/user_account.go
@@ -175,12 +175,18 @@ func (wc *WebController) loginForm(td *TemplateData, r *http.Request) (f Form) {
 
 			// Set the autentication cookie
 			f.Extra.SetCookie = &http.Cookie{
-				Name:     "pd_auth_key",
-				Value:    loginResp.APIKey,
-				Path:     "/",
-				Expires:  time.Now().AddDate(50, 0, 0),
-				Domain:   wc.sessionCookieDomain,
-				SameSite: http.SameSiteStrictMode,
+				Name:    "pd_auth_key",
+				Value:   loginResp.APIKey,
+				Path:    "/",
+				Expires: time.Now().AddDate(50, 0, 0),
+				Domain:  wc.sessionCookieDomain,
+
+				// Strict means the Cookie will only be sent when the user
+				// reaches a page by a link from the same domain. Lax means any
+				// page on the domain gets the cookie and None means embedded
+				// content also gets the cookie. We're not trying to track the
+				// user around the web so we use lax
+				SameSite: http.SameSiteLaxMode,
 			}
 			f.Extra.RedirectTo = "/user"
 		}