Cookie has SameSite directive set to None

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Topic to Evaluate

On a standalone instance of GitLab, insecure settings are used in the session cookie:

_gitlab_session=72c18403db8c68e19c1b3ecc9f967612; path=/; expires=Fri, 04 Dec 2020 18:45:21 GMT; secure; HttpOnly; SameSite=None

The SameSite directive is set to None. As an anti-CSRF measure, this should be set to Lax (send the cookie when navigating to the standalone from another site) or Strict (only send the cookie when directly navigated to).

Proposed Solution

Minimally, the SameSite parameter should be set to Lax.

/cc @estrike

Edited Jul 30, 2025 by 🤖 GitLab Bot 🤖