Revisiting accessing session cookie in `Phoenix.Socket.connect` for SameSite cookies

It’s my understanding that cookies with HttpOnly and SameSite = Strict (or Lax?) are secure enough to be used as WS authentication, without additional CSRF check.

If that’s the case, what do you think about skipping CSRF check when retrieving session if session_opts passed to Phoenix.Endpoint.socket/3 connect_info opts have http_only and same_site == "Strict"?

Since phoenix encourages users to pass same session_opts both to Plug.Session and to connect_info opts, this should be secure for users following this recommendation. In order for it to become insecure, user has to make conscious decision to pass different options, thus fooling Phoenix into thinking it’s secure.

Previous discussions on this topic for context:


Accessing cookies in Phoenix.Socket connect - #30 by OvermindDL1

Suggestion: Add Set-Cookie header to the connect_info · Issue #3150 · phoenixframework/phoenix · GitHub

Headers cannot be retrieved in connect_info when using sockets · Issue #3524 · phoenixframework/phoenix · GitHub