From 6bca92e4b94ff8ed4e9afd8046d0470ce8fd3313 Mon Sep 17 00:00:00 2001
From: Jonathan Johnson <jon.johnson@ucsf.edu>
Date: Fri, 10 Jan 2025 13:39:56 -0800
Subject: [PATCH] Configure Our Session Cookie Better

This `ilios-session` cookie is used to store internal frontend
authentication data. We don't use it to authenticate against the
backend, we pass the `X-JWT-Authorization` header for that. As it's only
ever used on the frontend, where it is generated, we should be able to
restrict it to that domain (Strict). This has the added benefit of
reducing our payload on each request as we're no longer sending our JWT
twice.
---
 packages/frontend/app/session-stores/application.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/frontend/app/session-stores/application.js b/packages/frontend/app/session-stores/application.js
index 9132355d68..1e71118ace 100644
--- a/packages/frontend/app/session-stores/application.js
+++ b/packages/frontend/app/session-stores/application.js
@@ -2,4 +2,5 @@ import Cookie from 'ember-simple-auth/session-stores/cookie';
 
 export default class ApplicationSessionStore extends Cookie {
   cookieName = 'ilios-session';
+  sameSite = 'Strict';
 }