Same site cookie fix - Ready for testing / merge (#3990)

* initial fix for httpprefs * token * express_sid fix
2025-04-23 08:56:17 -04:00 · 2020-07-10 08:43:20 +01:00 · 2020-07-10 08:43:20 +01:00 · b15154cc23
commit b15154cc23
parent 3ea8d571e7
3 changed files with 18 additions and 3 deletions
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -128,6 +128,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
    exports.secret = settings.sessionKey;
  }

+  if(settings.ssl){
+    var sameSite = "Strict";
+  }else{
+    var sameSite = "Lax";
+  }
+
  args.app.sessionStore = exports.sessionStore;
  args.app.use(sessionModule({
    secret: exports.secret,
@ -137,6 +143,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
    name: 'express_sid',
    proxy: true,
    cookie: {
+      /*
+       * Firefox started enforcing sameSite, see https://github.com/ether/etherpad-lite/issues/3989
+       * for details.  In response we set it based on if SSL certs are set in Etherpad.  Note that if
+       * You use Nginx or so for reverse proxy this may cause problems.  Use Certificate pinning to remedy.
+       */
+      sameSite: sameSite,
      /*
       * The automatic express-session mechanism for determining if the
       * application is being served over ssl is similar to the one used for