SameSite cookie option applies only to _csrf cookie

[SagePtr]

• Gitea version (or commit ref): 1.14.2, 1.15.0+dev-344-g5285a3e70
• Git version: unrelated
• Operating system: unrelated
• Database: unrelated
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No

Description

Only _csrf cookie gets SameSite option. The other cookies have no.

Screenshots

[SagePtr]

Mostly fixed, but the cookie "i_like_gitea" (session identifier cookie?) still comes without SameSite:

(i cleaned up cookies, so it's not the old cookie)

[zeripath]

I almost missed this comment - please do not comment on closed bugs!

gitea/routers/routes/web.go

Lines 156 to 165 in effad26

	routes.Use(session.Sessioner(session.Options{
	Provider: setting.SessionConfig.Provider,
	ProviderConfig: setting.SessionConfig.ProviderConfig,
	CookieName: setting.SessionConfig.CookieName,
	CookiePath: setting.SessionConfig.CookiePath,
	Gclifetime: setting.SessionConfig.Gclifetime,
	Maxlifetime: setting.SessionConfig.Maxlifetime,
	Secure: setting.SessionConfig.Secure,
	Domain: setting.SessionConfig.Domain,
	}))

looks like it's misses setting the SameSite setting. This is probably due to a reversion at some point... I'll pop up a patch.

Damn I thought I checked all of these cookies but obviously missed this.