Assume user is already logged into system. User performed the some activity and based on that they receive one email. Email has one link, if user clicks that they will be redirected to appropriate screen.
But due to some reason when user try the hyperlink they logged out from system and have to login again.
After debugging it turns out that we have below rule in apache conf file.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
After removing above line everything works as expected.
So i am trying to find out the reason behind it (i.e. why session issue occurs if above rule is in place). Also how i should add that rule without impacting session because http only & secure cookie is required as per security guide line.
2
Answers
I had the same issue and use following code.
Note: Content-Security-Policy is to filter what type of data server should be allow to access and you can remove that line if you want.
More reading: Set-Cookie, Cookies for dummies, SameSite cookie attribute
You need to change
SameSite=strict
toSameSite=lax
(or just remove it, sincelax
is default value)https://www.owasp.org/index.php/SameSite