How to add SameSite Cookies on phoenix

Hi, I have 4 sites script js on my all page source, and the Chrome shows me some warnings.

these errors:

how to fix and add these site in Phoenix as SameSite ?

my endpoint:

  plug Plug.Session,
    store: :cookie,
    secure: true,
    key: "_change_me_key",
    signing_salt: "change_me"

Hey, currently you can use the extra key in Plug.Session configuration:

  plug Plug.Session,
    store: :cookie,
    secure: true,
    key: "_change_me_key",
    signing_salt: "change_me",
    extra: "SameSite=Strict"
2 Likes

Thanks, this extra: "SameSite=Strict" is Enough ? or we should Introduce our sites we needed in my site? and don’t let the other site use this feature!!

the documents of Session have these:

one of them is same_site but it has no example for this

I’ve been using the extra: "SameSite=Strict" config for a while now with no issues. I think it’s enough.

Haven’t seen the :same_site option. When I implemented it, the extra field was the only way to do SameSite but maybe now it’s been added to Plug.

2 Likes

The documentation for Plug.Session you linked points to the documentation for Plug.Conn, where the option is described:

:same_site - set the cookie SameSite attribute to a string value. If no string value is set, the attribute is omitted.

The possible values for the SameSite cookie attributes are an HTTP standard, and not related to Phoenix or Plug. You can find some documentation here about the meaning of the three possible values: Lax, Strict, and None.

Setting :extra as advised by @ukutaht is also working, but as there is a specific :same_site option I would advise using that (it’s available from v1.10.1 apparently):

plug Plug.Session,
  same_site: "Strict",
  # ...other options
6 Likes

Cool, didn’t know there’s a field for it now!

2 Likes

It’s apparently only available since the latest version currently published, v1.10.1 :slight_smile: I edited my answer above to add this info, in case some readers are using older versions.

3 Likes

SameSite is wonderful. You might want to consider whether Lax or Strict is a better choice for your site, though. Strict means, among other things, that if somebody follows a link to your site, their browser won’t send the cookie with that request.

See http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

1 Like