Skip to content

CBG-4962 create cookie with SameSite=None if CORS enabled #7841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
torcolvin merged 5 commits into from
Oct 29, 2025
Merged

CBG-4962 create cookie with SameSite=None if CORS enabled #7841

torcolvin merged 5 commits into from
Oct 29, 2025

Conversation

@torcolvin
Copy link
Collaborator

@torcolvin torcolvin commented Oct 28, 2025
edited
Loading

CBG-4962 create cookie with SameSite=None if CORS enabled

Preserve existing behavior unless CORS is enabled. If CORS is enabled, pass SameSite=None to allow cross origin requests.

Pre-review checklist

  • Removed debug logging (fmt.Print, log.Print, ...)
  • Logging sensitive data? Make sure it's tagged (e.g. base.UD(docID), base.MD(dbName))
  • Updated relevant information in the API specifications (such as endpoint descriptions, schemas, ...) in docs/api

Copilot AI review requested due to automatic review settings October 28, 2025 20:02
Copilot AI reviewed Oct 28, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modifies cookie creation to set SameSite=None when CORS is enabled, allowing cross-origin authenticated requests while preserving existing behavior when CORS is disabled.

  • Updated MakeSessionCookie to accept a sameSite parameter
  • Modified session creation to set SameSite=None when CORS is configured
  • Added test coverage to verify cookie attributes for both CORS-enabled and CORS-disabled scenarios

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
rest/session_api.go Added logic to set SameSite=None when CORS is enabled during session cookie creation
auth/session.go Updated MakeSessionCookie function signature to accept sameSite parameter
rest/session_test.go Added tests verifying SameSite attribute behavior with and without CORS configuration
rest/cors_test.go Added assertion to verify SameSite=None in existing CORS test
auth/session_test.go Updated all test calls to pass http.SameSiteDefaultMode parameter

rest/session_api.go Outdated
Comment on lines 129 to 132
if !h.getCORSConfig().IsEmpty() {
sameSite = http.SameSiteNoneMode
}
cookie := auth.MakeSessionCookie(session, h.db.Options.SecureCookieOverride, h.db.Options.SessionCookieHttpOnly, sameSite)
Copy link

Copilot AI Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When setting SameSite=None, the Secure flag must also be set to true for the cookie to be accepted by browsers. The current implementation doesn't enforce this constraint. Consider adding validation to ensure SecureCookieOverride is true when CORS is enabled, or document this requirement.

Suggested change
if !h.getCORSConfig().IsEmpty() {
sameSite = http.SameSiteNoneMode
}
cookie := auth.MakeSessionCookie(session, h.db.Options.SecureCookieOverride, h.db.Options.SessionCookieHttpOnly, sameSite)
secure := h.db.Options.SecureCookieOverride
if !h.getCORSConfig().IsEmpty() {
sameSite = http.SameSiteNoneMode
// When SameSite=None, Secure must be true for browser compatibility.
secure = true
}
cookie := auth.MakeSessionCookie(session, secure, h.db.Options.SessionCookieHttpOnly, sameSite)

Copilot uses AI. Check for mistakes.
@github-actions
Copy link

github-actions bot commented Oct 29, 2025
edited
Loading

Redocly previews

adamcfraser
adamcfraser requested changes Oct 29, 2025
View reviewed changes
Copy link
Collaborator

@adamcfraser adamcfraser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. One documentation suggestion, otherwise looks fine.

auth/session.go
Expires: session.Expiration,
Secure: secureCookie,
HttpOnly: httpOnly,
SameSite: sameSite,
Copy link
Collaborator

@adamcfraser adamcfraser Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to go verify that http.Cookie doesn't emit the SameSite attribute when SameSiteDefaultMode is specified, to ensure we won't see any functional change for users not using CORS or setting the flag.
It's possible that's worth mentioning the default handling in a function description comment, to make that clear. (on the fence about the necessity of that, take it or leave it)

@torcolvin torcolvin changed the title CBG-4960 create cookie with SameSite=None if CORS enabled CBG-4962 create cookie with SameSite=None if CORS enabled Oct 29, 2025
@torcolvin torcolvin merged commit 30ee4fe into main Oct 29, 2025
61 of 62 checks passed
@torcolvin torcolvin deleted the CBG-4960-samesite branch October 29, 2025 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adamcfraser adamcfraser adamcfraser approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@torcolvin @adamcfraser