Explicitly setting the SameSite cookie attribute to Lax

[johhnry]

I am developing a front end application that uses the authentication system of Zou in order to display account restricted pages and data.

To do that, I make a request to /api/auth/login and it sets the access_token cookie with the Set-Cookie header for me automatically.

The issue is that in Firefox or Chromium, I get the following warning:

In Chrome based browsers, the cookie is simply rejected.

This is because the SameSite attribute is not set in the Set-Cookie header sent by Zou.

From the MDN documentation:

Recent versions of modern browsers provide a more secure default for SameSite to your cookies and so the following message might appear in your console:

Cookie "myCookie" has "SameSite" policy set to "Lax" because it is missing a "SameSite" attribute, and "SameSite=Lax" is the default value for this attribute.

The warning appears because the SameSite policy for a cookie was not explicitly specified:

Set-Cookie: flavor=choco

You should explicitly communicate the intended SameSite policy for your cookie (rather than relying on browsers to apply SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to Lax yet.

Looking at the flask-jwt-extended library used with Flask in Zou, in the documentation there is this environment variable:

JWT_COOKIE_SAMESITE

Controls how the cookies should be sent in a cross-site browsing context. Available options are "None", "Lax", or "Strict".

To use SameSite=None, you must set this option to the string "None" as well as setting JWT_COOKIE_SECURE to True.

And this environment variable is not set in the zou config ;)

[EvanBldy]

Hello @johhnry, thanks for the suggestion !
I have made a PR to set JWT_COOKIE_SAMESITE to Lax.

[johhnry]

@EvanBldy Awesome thank you for the support 👍