Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Explicitly set the session cookie to SameSite=Lax (#50108)
Prior to this change, we were not explicitly setting the SameSite mode for our session cookie, which leaves the behavior up to the browser. Chromium-based browsers have been defaulting to SameSite=Lax since Chrome 80 in February 2020, so this is not a behavior change but rather locking in today's behavior and being explicit about it. Note that this is for Teleport's session cookie only. App session cookies remain using SameSite=None because the proxied app may itself be using SSO, and we need the app session cookie to make its way through SSO redirects.
- Loading branch information