silverstripe-framework/docs/en/04_Changelogs/4.12.0.md
Guy Sartorelli 31c974c528 ENH Add samesite attribute to cookies.
Co-authored-by: pine3ree <pine3ree@gmail.com>
2022-06-02 12:01:03 +12:00

2.1 KiB

title
4.12.0 (unreleased)

4.12.0 (unreleased)

Overview

Regression test and Security audit

This release has been comprehensively regression tested and passed to a third party for a security-focused audit.

While it is still advised that you perform your own due diligence when upgrading your project, this work is performed to ensure a safe and secure upgrade with each recipe release.

Features and enhancements

Samesite attribute on cookies

The samesite attribute is now set on all cookies. To avoid backward compatability issues, the Lax value has been set by default, but we recommend reviewing the requirements of your project and setting an appropriate value.

The default value can be set for all cookies (except for the session cookie) in yaml configuration like so:

SilverStripe\Control\Cookie:
  default_samesite: 'Strict'

Check out the cookies documentation for more information.

The session cookie is handled separately. You can configure it like so:

SilverStripe\Control\Session:
  cookie_samesite: 'Strict'

Note that if you set the samesite attribute to None, the secure is automatically set to true as required by the specification.

For more information about the samesite attribute check out https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Other new features

Bugfixes

This release includes a number of bug fixes to improve a broad range of areas. Check the change logs for full details of these fixes split by module. Thank you to the community members that helped contribute these fixes as part of the release!