eventlogger/auth: update cookie policy to Lax to allow sending on redirects (!30222) · Merge requests · Administrator / sourcegraph

Administrator requested to merge fa/send-cookies-w-oauth into main Jan 26, 2022

Created by: attfarhan

Fixes https://github.com/sourcegraph/sourcegraph/issues/30020.

Our attribution cookies were not getting sent when users signed up via GitHub and GitLab auth because the sameSite policy was set to Strict. This means that on redirects or following links to Sourcegraph, we would not send these cookies in the request. However, when a user signs up via GitHub auth, we redirect them to the site after approving access.

This PR changes the sameSite policy to Lax, so that these cookies are sent on redirects as well. @david-sandy can you confirm that this is safe? We believe this isn't a security risk, but want to check.

eventlogger/auth: update cookie policy to Lax to allow sending on redirects

Merge request reports