[Webkit-unassigned] [Bug 219650] Cookies set with SameSite=Lax are not sent during redirects in Safari

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 5 03:05:11 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=219650

Steffen Weber <steffen.weber at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |steffen.weber at gmail.com

--- Comment #8 from Steffen Weber <steffen.weber at gmail.com> ---
We use SameSite=Lax for login cookies on our website (https://www.computerbase.de/) as a defense in depth against CSRF. Users have started to report that they appear logged-out when clicking on a ComputerBase link the Google search results using Safari. Google uses a redirect there (at least when using Safari) so this is probably exactly the issue we are facing. SameSite cookies are therefore essentially broken in Safari for our use-case.

I don't know that else we could do other than to use user-agent sniffing to disable SameSite cookies for IE6… err I mean Safari users. (╯°□°)╯︵ ┻━┻

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210505/861ca2e7/attachment.htm>


More information about the webkit-unassigned mailing list