hryb0 (hryb0) asked a question.
Can you configure okta session cookie SameSite values?
The react app I've been working has been pen tested recently. One of the items that came up was the recommendation that cookies should have SameSite set to "Lax" as a minimum.
The only cookies in our react app are the following from Okta:
- okta-oauth-nonce
- okta-oauth-redirect-params
- okta-oauth-state
These all have SameSite set to "None".
Is there a way to configure the SameSite value for these cookies?
Thanks,
Jaimie
Hi @hryb0 (hryb0),
Thank you for posting on the Okta community page!
I have done some research on my end and it seems that the cookies mentioned by you are set by the SDK but I couldn't manage to find a way or documentation on how to configure the SameSite value for these cookies.
Additionally, I managed to find a thread in which it shows what value will the SameSite have in different scenarios but keep in mind that the above link is a bit old:
My advice would be to also leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
I found a solution that I'm adding in case anyone else finds this question.
In the configuration object that is passed to the OktaAuth object from okta-auth-js, I added the following:
cookies: {
sameSite: "lax"
}
This meant that the okta-oauth-* cookies had their SameSite property set to Lax