Enabling same-site cookies by default is a little risky now, because current browsers don't always set them properly.
https://bugs.chromium.org/p/chromium/issues/detail?id=961617 On Sun, Jun 7, 2020 at 6:42 PM Claude Pache <claude.pa...@gmail.com> wrote: > > > > Le 7 juin 2020 à 22:15, AllenJB <php.li...@allenjb.me.uk> a écrit : > > > > Are there any other session (security) related settings that should be > tightened by default? (cookie_samesite?) > > > Yes, of course: > > * session.cookie_httponly should be "1" by default. > * session.cookie_samesite should be "Lax" by default. > * Ideally, session.cookie_secure should be enabled by default on https; > sadly, the setting does not allow to have different values for secure and > insecure connections. > > —Claude
