Matthew Wild 6407eb90db Explicitly set cookie SameSite attribute to Lax ...

With 'Secure' set, it may default to 'None', which we don't need or want.

'Strict' is not suitable for session cookies - the user would see the login
screen when navigating from another site (e.g. hosting dashboard) and we
already have CSRF protection on forms.

2024-04-29 11:18:55 +01:00

8.6 KiB

Raw Blame History

View Raw