How to add SameSite Cookies on phoenix

Phoenix Forum Questions / Help
,
1

Hi, I have 4 sites script js on my all page source, and the Chrome shows me some warnings.

these errors:

Screenshot 2020-05-20 at 1.43.11 pm
Screenshot 2020-05-20 at 1.43.11 pm1901×176 100 KB

how to fix and add these site in Phoenix as SameSite ?

my endpoint:

  plug Plug.Session,
    store: :cookie,
    secure: true,
    key: "_change_me_key",
    signing_salt: "change_me"
1 Like
2

Hey, currently you can use the extra key in Plug.Session configuration:

  plug Plug.Session,
    store: :cookie,
    secure: true,
    key: "_change_me_key",
    signing_salt: "change_me",
    extra: "SameSite=Strict"
2 Likes
3

Thanks, this extra: "SameSite=Strict" is Enough ? or we should Introduce our sites we needed in my site? and don’t let the other site use this feature!!

the documents of Session have these:

Screenshot 2020-05-20 at 2.11.15 pm
Screenshot 2020-05-20 at 2.11.15 pm721×334 35.3 KB

one of them is same_site but it has no example for this

4

I’ve been using the extra: "SameSite=Strict" config for a while now with no issues. I think it’s enough.

Haven’t seen the :same_site option. When I implemented it, the extra field was the only way to do SameSite but maybe now it’s been added to Plug.

2 Likes
5

The documentation for Plug.Session you linked points to the documentation for Plug.Conn, where the option is described:

:same_site - set the cookie SameSite attribute to a string value. If no string value is set, the attribute is omitted.

The possible values for the SameSite cookie attributes are an HTTP standard, and not related to Phoenix or Plug. You can find some documentation here about the meaning of the three possible values: Lax, Strict, and None.

Setting :extra as advised by @ukutaht is also working, but as there is a specific :same_site option I would advise using that (it’s available from v1.10.1 apparently):

plug Plug.Session,
  same_site: "Strict",
  # ...other options
9 Likes
6

Cool, didn’t know there’s a field for it now!

2 Likes
7

It’s apparently only available since the latest version currently published, v1.10.1 :slight_smile: I edited my answer above to add this info, in case some readers are using older versions.

3 Likes
8

SameSite is wonderful. You might want to consider whether Lax or Strict is a better choice for your site, though. Strict means, among other things, that if somebody follows a link to your site, their browser won’t send the cookie with that request.

See http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

5 Likes