https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019
--- Comment #6 from David Cook <[email protected]> --- But what's the use case for a Koha staff user changing the SameSite value for a cookie? Due to deep linking (e.g. linking to a search result page and visiting it as an authenticated user), I can't think of a case off the top of my head that shoulnd't be SameSite=Lax. With SameSite=None, we'd be letting any site send that cookie. I can't see any reason to do that. We wouldn't be creating tracking cookies, and I don't know why we'd let another site send a cookie to Koha via a background call. SameSite=Strict sounds good in theory for internal cookie usage, but - due to that deep linking I mentioned - every cookie I can think of should be sendable when externally navigating to the site. That said, I'd be willing to test this theory to try to prove it wrong. I have a feeling that using SameSite=Strict would break a lot of Koha functionality when navigating directly to a page (like search results), but I'm happy to be proven wrong. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
