|Don't ask to ask, just ask|
Firefox warns that cookies generated by Catalyst will be rejected in futureby martell (Hermit)
|on Jul 04, 2020 at 14:32 UTC||Need Help??|
martell has asked for the wisdom of the Perl Monks concerning the following question:
I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version is complaining in the console that my cookies are misusing the sameSite attribute:
In catalyst I have following code to configure my site and the Cookie Plugin:
If found that I can set the secure flag by adding to my config:
This solves my immediate concern because now Firefox doesn't complain any more. (In reality I use the value "2" because on my development machine I don't use https .). But it doesn't feel like a fundamental good solution.
Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default.
Any thoughts, insights on this observation before I report it as a bug on the module?