This forum has moved, please join us on github discussions. We will keep these old posts available for reference. Thank you!

Is Apostrophe ready for SameSite cookie updates?

Hi Apostrophe team,

Auth0 has a blog post about the impact of security changes coming to browsers, in the form of SameSite (still researching myself). In their post they reference Google’s post, here.

Which obviously made me wonder if Apostrophe will be impacted by this change? Do you have any perspective / comment this change?

Thanks,
Paul

Thanks for calling this to my attention.

It looks like the new default behavior could cause some confusion for users who are returning to the site via an external link and wonder why their login does not persist in that situation until they follow an internal link on the site or log in again. But the experience will not be broken, and you could certainly log in again.

For 3.x we might choose to use the Google-approved double-cookie approach described in that article if we want to continue to have long-persisting sessions. We are trying to freeze the 2.x feature set in order to focus on 3.x, but it’s possible we may have to deliver that tweak for 2.x as well. The best practice, though, might be to say that if the user really wants their editing login to be easy at the expense of some security they should be using a password manager, not relying on cookies.

Update: Alex Bea brought this google video to my attention. I think the article linked earlier is a little bit misleading. It does not sound like ordinary GET-method page links on other sites will be impacted:

There could certainly be impacts on various passport backends optionally hooked up via apostrophe-passport, but it’s up to those npm modules (not part of Apostrophe itself) to update if need be, and they no doubt will.

Who’s up to try this out using the experimental flags in Chrome?