X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Plugin-Session-State-Cookie.git;a=blobdiff_plain;f=lib%2FCatalyst%2FPlugin%2FSession%2FState%2FCookie.pm;fp=lib%2FCatalyst%2FPlugin%2FSession%2FState%2FCookie.pm;h=c7bebf1a6000caeb0d31122abc6bd58d487afb04;hp=2e7a2a13eb52508133d875de96be9b84c71c0030;hb=f877359ebfc27bd0bc84ea6a8a7afab055ad377d;hpb=50dacea227c6f6f2c2304af24784beeb857b8eb6

diff --git a/lib/Catalyst/Plugin/Session/State/Cookie.pm b/lib/Catalyst/Plugin/Session/State/Cookie.pm
index 2e7a2a1..c7bebf1 100644
--- a/lib/Catalyst/Plugin/Session/State/Cookie.pm
+++ b/lib/Catalyst/Plugin/Session/State/Cookie.pm
@@ -81,6 +81,10 @@ sub make_session_cookie {
     $cookie->{httponly} = 1
         unless defined $cookie->{httponly}; # default = 1 (set httponly)
 
+    $cookie->{samesite} = $cfg->{cookie_samesite};
+    $cookie->{samesite} = "Lax"
+        unless defined $cookie->{ samesite}; # default = Lax
+
     return $cookie;
 }
 
@@ -255,6 +259,26 @@ that this cookie works only over HTTP and not over HTTPS.
 
 Note2: This parameter requires Catalyst::Runtime 5.80005 otherwise is skipped.
 
+=item cookie_samesite
+
+This attribute configures the value of the
+L<SameSite|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite>
+flag.
+
+If set to None, the cookie will be sent when making cross origin requests,
+including following links from other origins. This requires the
+L</cookie_secure> flag to be set.
+
+If set to Lax, the cookie will not be included when embedded in or fetched from
+other origins, but will be included when following cross origin links.
+
+If set to Strict, the cookie will not be included for any cross origin requests,
+including links from different origins.
+
+Default value is C<Lax>. This is the default modern browsers use.
+
+Note: This parameter requires Catalyst::Runtime 5.90125 otherwise is skipped.
+
 =item cookie_path
 
 The path of the request url where cookie should be baked.