From b1bc7b537016814b4d848b6bb41e0f1b86ce2d44 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 28 Sep 2022 09:51:04 +0530
Subject: [PATCH 1/2] fix(server): set default app cookie to lax mode

---
 server/cookie/cookie.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/cookie/cookie.go b/server/cookie/cookie.go
index 27b0579..5bb1996 100644
--- a/server/cookie/cookie.go
+++ b/server/cookie/cookie.go
@@ -29,10 +29,16 @@ func SetSession(gc *gin.Context, sessionID string) {
 		domain = "." + domain
 	}
 
+	// Use sameSite = lax by default
+	// For more information check:
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+	// https://github.com/gin-gonic/gin/blob/master/context.go#L86
+	// TODO add ability to sameSite = none / strict from dashboard
+	gc.SetSameSite(http.SameSiteLaxMode)
+
 	// TODO allow configuring from dashboard
 	year := 60 * 60 * 24 * 365
 
-	gc.SetSameSite(http.SameSiteNoneMode)
 	gc.SetCookie(constants.AppCookieName+"_session", sessionID, year, "/", host, secure, httpOnly)
 	gc.SetCookie(constants.AppCookieName+"_session_domain", sessionID, year, "/", domain, secure, httpOnly)
 }

From f5323e0eecffbf3bb5950aa26d1430b1e735d23b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 28 Sep 2022 10:36:56 +0530
Subject: [PATCH 2/2] fix(server): update comments for host & cookies

---
 server/cookie/cookie.go | 2 ++
 server/parsers/url.go   | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/cookie/cookie.go b/server/cookie/cookie.go
index 5bb1996..efc8885 100644
--- a/server/cookie/cookie.go
+++ b/server/cookie/cookie.go
@@ -30,6 +30,8 @@ func SetSession(gc *gin.Context, sessionID string) {
 	}
 
 	// Use sameSite = lax by default
+	// Since app cookie can come from cross site it becomes important to set this in lax mode.
+	// Example person using custom UI on their app domain and making request to authorizer domain.
 	// For more information check:
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
 	// https://github.com/gin-gonic/gin/blob/master/context.go#L86
diff --git a/server/parsers/url.go b/server/parsers/url.go
index 315dc0e..c98ad54 100644
--- a/server/parsers/url.go
+++ b/server/parsers/url.go
@@ -11,8 +11,8 @@ import (
 )
 
 // GetHost returns hostname from request context
-// if X-Authorizer-URL header is set it is given highest priority
-// if EnvKeyAuthorizerURL is set it is given second highest priority.
+// if EnvKeyAuthorizerURL is set it is given highest priority.
+// if X-Authorizer-URL header is set it is given second highest priority
 // if above 2 are not set the requesting host name is used
 func GetHost(c *gin.Context) string {
 	authorizerURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL)