-
Stan Hu authored
Some users reported being logged out quite frequently, and we suspect a change in Chrome caused this. Chrome v80, rolled out in March 2020, treats any cookies without the SameSite directive set as though they are SameSite=Lax (https://www.chromestatus.com/feature/5088147346030592). This is a breaking change from the previous default behavior, which was to treat those cookies as SameSite=None. To fix this, we add a middleware that tags all cookies with the Secure and SameSite=None headers. This middleware is needed until we upgrade to Rack v2.1.0+ (https://github.com/rack/rack/commit/c859bbf7b53cb59df1837612a8c330dfb4147392) and a version of Rails that has native support (https://github.com/rails/rails/commit/7ccaa125ba396d418aad1b217b63653d06044680). Closes https://gitlab.com/gitlab-org/gitlab/-/issues/212551
39a4aa20