It’s my understanding that cookies with HttpOnly and SameSite = Strict (or Lax?) are secure enough to be used as WS authentication, without additional CSRF check.
If that’s the case, what do you think about skipping CSRF check when retrieving session if
session_opts passed to Phoenix.Endpoint.socket/3
connect_info opts have
same_site == "Strict"?
Since phoenix encourages users to pass same
session_opts both to
Plug.Session and to
connect_info opts, this should be secure for users following this recommendation. In order for it to become insecure, user has to make conscious decision to pass different options, thus fooling Phoenix into thinking it’s secure.
Previous discussions on this topic for context: