[Webkit-unassigned] [Bug 219650] Cookies set with SameSite=Lax are not sent during redirects in Safari
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 5 03:05:11 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=219650
Steffen Weber <steffen.weber at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |steffen.weber at gmail.com
--- Comment #8 from Steffen Weber <steffen.weber at gmail.com> ---
We use SameSite=Lax for login cookies on our website (https://www.computerbase.de/) as a defense in depth against CSRF. Users have started to report that they appear logged-out when clicking on a ComputerBase link the Google search results using Safari. Google uses a redirect there (at least when using Safari) so this is probably exactly the issue we are facing. SameSite cookies are therefore essentially broken in Safari for our use-case.
I don't know that else we could do other than to use user-agent sniffing to disable SameSite cookies for IE6… err I mean Safari users. (╯°□°)╯︵ ┻━┻
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210505/861ca2e7/attachment.htm>
More information about the webkit-unassigned
mailing list