misc: add samesite=Lax to all set_cookie calls (#60798)

src/authentic2/middleware.py

@@ -77,6 +77,7 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
                 max_age=None,
                 domain=domain,
                 secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
+                samesite='Lax',
             )
         elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
             response.delete_cookie(name, domain=domain)
@@ -258,7 +259,7 @@ class CookieTestMiddleware(MiddlewareMixin):
     def process_response(self, request, response):
         if not self.check(request):
             # set test cookie for 1 year
-            response.set_cookie(self.COOKIE_NAME, '1', max_age=365 * 24 * 3600)
+            response.set_cookie(self.COOKIE_NAME, '1', max_age=365 * 24 * 3600, samesite='Lax')
         return response
 
 

src/authentic2/utils/misc.py

@@ -1302,6 +1302,7 @@ def prepend_remember_cookie(request, response, name, value, count=5):
         max_age=86400 * 365,  # keep preferences for 1 year
         path=request.path,
         httponly=True,
+        samesite='Lax',
     )
 
 

src/authentic2/views.py

@@ -631,7 +631,7 @@ def logout(request, next_url=None, do_local=True, check_referer=True):
     logger.debug('Next redirection : %s', next_url)
     response = shortcuts.redirect(next_url)
     if local_logout_done:
-        response.set_cookie('a2_just_logged_out', 1, max_age=60)
+        response.set_cookie('a2_just_logged_out', 1, max_age=60, samesite='Lax')
     return response