sameSite no longer defaults to 'None' when undefined about cookie-session HOT 4 CLOSED

Hello! So there are a couple things here.

(1) Yes, I will be updating the library soon to enable setting the attribute to None.
(2) No, that won't happen automatically because not having the attribute set and having it set to None is actually different behavior. This is especially the case as older Safaris will actually ignore the entire cookie is sameSite=None is set on the Set-Cookie header, which means if you would need to set it to None, you'll need to make sure you test in the browsers and versions which you need to support.

It is ultimately Chrome that is making the breaking change and breaking from the web standard (https://www.chromestatus.com/feature/5088147346030592), and this module suddenly including the attribute set to None breaking existing clients who follow it (like Safaris) is itself also breaking behavior.

from cookie-session.

Thanks for being so fast and for clarifying the differences in behavior as well. We're aware of the safari issue with sameSite='None', and I think we'll just say screw it since most of our users and dev team use chrome and occasionally IE/Edge.

from cookie-session.

Yep, that was just regarding the module producing a cookie with it set by default. The underlying library that does the cookies is releasing a version with "none" support later today, at which point this module will release a new version with the updated underlying library.

from cookie-session.

Version 1.4.0 has been published which supports setting sameSite to the 'none' value.

from cookie-session.