https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |In Discussion --- Comment #53 from David Cook <[email protected]> --- Actually, I'm momentarily going to move this to "In Discussion". I think using a Strict SameSite attribute would break the SSO implementation especially in terms of CSRF. You'd have an anonymous session, then you redirect to the IdP, and then you're redirected back. Since you're being redirected back via an external site, your browser shouldn't send the Strict CGISESSID cookie, which means your CSRF validation will fail. I'll test that in a minute. We might need to always use a "Lax" SameSite attribute for anonymous sessions. I'll try to think of any other problem scenarios... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
