Adding `SameSite` to `Antikythera.Http.SetCookie`

[sylph01]

Rationale

Antikythera.Http.SetCookie lacks the option to set the SameSite attribute of Set-Cookie header, and now it is forced into using SameSite=Lax.
As my team and I came across a need to set the SameSite directive to SameSite=none (especially in combination with Antikythera.Session), I am raising this issue and proposing the addition of this functionality. This would also help gears that want to enforce SameSite=strict.

Proposed changes

• Add same_site field to Antikythera.Http.SetCookie
  • This will be an enum that takes either :lax, :strict, or :none
  • Adding a field under the SetCookie module's field list and adding a type would do this
  • I am ready to write up a patch for this change
• Add an interface to Antikythera.Plug.Session.load/2
  • When explicitly adding a Cookie entry, passing an optional argument to Antikythera.Conn.put_resp_cookie/4 can achieve this
  • But when used in combination with Antikythera.Plug.Session.load/2 it is not trivial, so I would like advice on how to change this
    • As of right now, I am thinking of passing options under :set_cookie key, then passing this option to make_before_send/2 (this would add an argument and thus change the signature to make_before_send/3 ) so that it can be passed onto Antikythera.Conn.put_resp_cookie/4 (now called with only 3 arguments).

Relevant references

• SameSite cookies - HTTP | MDN

[aYukiSekiguchi]

Thank you for filing a bug!

Since cowlib which Antikythera uses, has :same_site, Antikythera.Http.SetCookie should have it as well. However, cowlib 2.9 or earlier only supports :lax and :strict, so we have to update cowlib to 2.10. It means we have to update cowboy to 2.9.

Could you wait for the cowboy update?

[sylph01]

I have checked with our team that we can figure out a workaround to our project's specific problem, so we can wait for the cowboy update.

Meanwhile, we found out that we need to specify the session's expiration explicitly, so I sent a patch that does this and also addresses the second part of this issue (Add an interface to Antikythera.Plug.Session.load/2). The first part will be addressed after the cowboy update, because it is dependent on cowboy supporting the :none value for same_site key.