update auth cookie settings

2020-02-19 14:36:55 +01:00
parent da62ce6c3c
commit f17e58df29
1 changed files with 12 additions and 6 deletions
--- a/webcontroller/user_account.go
+++ b/webcontroller/user_account.go
@@ -180,7 +180,13 @@ func (wc *WebController) loginForm(td *TemplateData, r *http.Request) (f Form) {
 				Path:    "/",
 				Expires: time.Now().AddDate(50, 0, 0),
 				Domain:  wc.sessionCookieDomain,
-				SameSite: http.SameSiteStrictMode,
+
+				// Strict means the Cookie will only be sent when the user
+				// reaches a page by a link from the same domain. Lax means any
+				// page on the domain gets the cookie and None means embedded
+				// content also gets the cookie. We're not trying to track the
+				// user around the web so we use lax
+				SameSite: http.SameSiteLaxMode,
 			}
 			f.Extra.RedirectTo = "/user"
 		}