use SameSite=Lax instead of SameSite=Strict

To improve reliability of live streams (#59) on Safari. Safari was dropping the cookie from websocket update requests. (But it worked sometimes. I don't get why.) I saw folks on the Internet thinking this related to HttpOnly: * https://developer.apple.com/forums/thread/104488 * https://stackoverflow.com/q/47742807/23584 but I still see this behavior without HttpOnly. SameSite=Strict vs SameSite=Lax appears to make a difference. Try that instead. SameSite=Strict is pointless for us anyway as noted in a new comment. Turning off HttpOnly would be more unfortunate security-wise.
2025-11-28 05:04:15 -05:00 · 2021-03-31 10:44:08 -07:00
parent 2fe961f382
commit 560fe804d6
4 changed files with 64 additions and 31 deletions
--- a/server/db/auth.rs
+++ b/server/db/auth.rs
@@ -233,6 +233,7 @@ impl Session {
 }

 /// A raw session id (not base64-encoded). Sensitive. Never stored in the database.
+#[derive(Copy, Clone)]
 pub struct RawSessionId([u8; 48]);

 impl RawSessionId {