The use of
SameSite=Strict on the aurweb cookies currently breaks navigation from third-party origins. For example navigating to aurweb from a search engine or a webmail provider leads to confusion because the chosen language and login session ID isn't sent by the browser in these cases.
The fix for this is to use
SameSite=Lax, which is similar to
SameSite=Strict except that cookies are sent when the user navigates cross-site. For example by server-initiated redirects or following a hyperlink. Like
<img>, etc), cookies are not sent. See more about
I have prepared a test page for manual testing at https://pages.x0.is/aurweb-samesite-lax-test.html
This page includes various ways to redirect to https://localhost:8444/. So to test, you'd just need to start up aurweb locally with
In addition to adjusting the existing secure login test, this MR also adds a test for insecure logins (
disable_http_login=0) to improve test coverage a little bit.