X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/1ee3e779e4b9b0a92f701a72f21a72c83cb1ce68..refs/pull/5280/head:/app/Config/session.php diff --git a/app/Config/session.php b/app/Config/session.php index 37f1627bb..f2ec2509f 100644 --- a/app/Config/session.php +++ b/app/Config/session.php @@ -1,5 +1,7 @@ '/', + 'path' => '/' . (explode('/', env('APP_URL', ''), 4)[3] ?? ''), // Session Cookie Domain // Here you may change the domain of the cookie used to identify a session @@ -69,7 +71,8 @@ return [ // By setting this option to true, session cookies will only be sent back // to the server if the browser has a HTTPS connection. This will keep // the cookie from being sent to you if it can not be done securely. - 'secure' => env('SESSION_SECURE_COOKIE', false), + 'secure' => env('SESSION_SECURE_COOKIE', null) + ?? Str::startsWith(env('APP_URL', ''), 'https:'), // HTTP Access Only // Setting this value to true will prevent JavaScript from accessing the @@ -80,6 +83,13 @@ return [ // This option determines how your cookies behave when cross-site requests // take place, and can be used to mitigate CSRF attacks. By default, we // do not enable this as other CSRF protection services are in place. - // Options: lax, strict - 'same_site' => null, + // Options: lax, strict, none + 'same_site' => 'lax', + + + // Partitioned Cookies + // Setting this value to true will tie the cookie to the top-level site for + // a cross-site context. Partitioned cookies are accepted by the browser + // when flagged "secure" and the Same-Site attribute is set to "none". + 'partitioned' => false, ];